In your presentation, you said that we can't rely on walls to control access to wireless LANs; but are access points located deep inside large buildings safe?
The odds against war driving are certainly better. But radio waves in the ISM band can travel surprising distances. At the December 802.11-Planet conference, Dr. Trevor Marshall gave an example where transmissions were received 125 kilometers away. That was an extreme case, transmitting over the ocean, but attackers do use stronger antennas than those shipped with PC cards and APs. If you can't connect from your PDA, that's no guarantee that attackers with high-gain antennas can't eavesdrop.
Also, it's important to consider customers, suppliers, contractors, maintenance personnel and other visitors with access to parts of large buildings. Wiring closets and operations centers are behind locked doors so that visitors can't insert themselves into the network. But consider the guy who cleans your office late at night – can he connect his PDA to your LAN? Can he leave a small access point somewhere, tricking stations into connecting with it instead of the real company LAN? Authenticated access controls make sure that all players are legitimate – even those you cannot see.
I've heard that turning off SSID broadcasts can stop war drivers from discovering wireless networks -- is that true?
This is a common recommendation based on a misunderstanding of 802.11. Turning off beacon frame SSIDs does not prevent stations from SSID from being exposed in associate frames. The SSID cannot remain hidden unless the wireless network is not being used at all. You can see this by using discovery tools like AirMagnet.
What's more, beacon frame SSID broadcasting is important for efficient LAN operation. When access points don't broadcast their SSID, stations must send probes on all channels to find the access point with the desired SSID. This increases overhead, makes roaming take longer and actually increases the frequency at which SSID is sent over the air. In other words, this cure is worse than the sickness.
I believe there is one case where disabling beacon SSIDs might help -- on a small home network where stations connect infrequently for short periods. But even there, the LAN isn't hidden when stations aren't connected. The AP continuously sends many beacon frames per second. Disabling SSID broadcast just stops the network's name from being carried in every beacon.
Is unauthorized Internet access by wireless intruders really that much of a concern? If freeloaders don't attack me, why should I care?
There are many people who don't care if they share their cable or DSL Internet with others – people that want to help build a national infrastructure of free public access. But some open LANs are in violation of service agreements stating that residential broadband accounts are for private use only. The subscriber is responsible for any misdeeds launched from their account – for example, a freeloader that sends spam or attacks someone else using your wireless LAN. By the time you hear about the misdeed, the freeloader will be long gone.
What are the odds that something bad will happen and your service provider will crack down on you? They're probably small. But think about it this way – would you leave your door unlocked with a big sign that says "Come on in and use my telephone while I'm not home – we have unlimited minutes"? Leaving your wireless LAN wide open is not all that different.
In your presentation, you said that MAC access control lists are weak because MAC addresses can be forged. Is this an expert kind of attack that most of us will never experience?
MAC address spoofing is not difficult. Some PC cards actually let you configure a MAC address right from the client GUI or network properties panel. And there are readily-available shareware tools that let attackers listen for and then spoof someone else's MAC address. For example, AirJack is a tool that spoofs the AP's MAC address to kick all active stations off the LAN. The same script kiddies that use port scanners to bang on DSL and cable modems also use hacker tools to bang on residential wireless LANs, and MAC spoofing is a part of many wireless attacks.
If an employee installs an unauthorized access point, is that considered a rogue access point, or is there more to it?
When you hear Gartner say one in five companies have already been infiltrated by rogue APs, they are just talking about unauthorized devices, installed by employees unwilling to wait for the IT department's blessing. When I discussed rogue AP man-in-the-middle attacks, I was describing a specific kind of malicious attack that uses an unauthorized AP to intercept and modify traffic. Very few of the rogue APs you may discover are launching a man-in-the-middle attack. But every newly-discovered AP is worth investigating, because even non-malicious unauthorized APs create security and performance holes your network.
You talked about WEP being fixed by Wi-Fi Protected Access. Is that the advanced encryption that some wireless LAN products say they support?
When you see AES, the Advanced Encryption Standard, appearing in product specifications, that refers to a new cipher algorithm that will someday replace the older RC4 cipher now used by WEP. I say "someday" because AES is not yet part of the ratified 802.11 standard. AES is part of the 802.11i draft standard that will not be finished until the end of this year. Products implementing AES right now are providing stronger but proprietary encryption that can only be used between products from the same manufacturer.
In contrast, Wi-Fi Protected Access is a stable subset of the 802.11i standard that is now being tested and certified by the Wi-Fi Alliance. WPA makes better use of the old RC4 cipher so that products can offer somewhat stronger but still interoperable encryption this year. When 802.11i is ratified, most WLAN products will move up to AES, using one common specification that promotes multi-vendor interoperability.
Is there any way to prevent wireless jamming caused by Bluetooth?
Because Bluetooth and Wi-Fi share the 2.4 GHz band, these protocols step on each other. Intersil and Silicon Wave came up with a design that permits simultaneous operation using time slicing to interleave Bluetooth and 802.11b transmissions very rapidly. The IEEE 802.15 Coexistence Task Group is developing Recommended Practices like power control strategies to minimize interference between Bluetooth and Wi-Fi networks. Until product changes like these facilitate true coexistence, there are a few things you can do if Bluetooth is jamming your wireless LAN.
First, Bluetooth has a much shorter range than Wi-Fi, so placing your 802.11 access points 30 feet away from any Bluetooth device will definitely help.
Second, Bluetooth interferes with Wi-Fi in such a fashion that devices may drop to a lower data rate when they really shouldn't. Configuring a fixed high data rate instead of allowing auto-rate selection may help in some cases.
Finally, if you have a lot of Bluetooth in your office, consider moving your LAN out of the ISM band altogether. 802.11a products operate in a different band and are therefore completely unaffected by Bluetooth.
Wireless LAN discovery seems like a never-ending task. Is it really practical to prevent rogue access points by walking around a company's offices with a handheld discovery tool once a week?
Jay Chaudhry, the founder of AirDefense, compares walk-around discovery to the night watchman on hourly rounds. We've all seen shows where intruders hide from the watchman. The same can happen with unauthorized APs – if you know when the auditors are coming, just unplug the AP before they get there.
Spot checks are still a useful deterrent, and they'll help find APs installed by well-intentioned but naÏve workers. Leaving a desktop analyzer running in monitor mode 24x7 is clearly more effective over time. In larger facilities where a bunch of independent analyzers just aren't going to cut it, a distributed intrusion-detection system is really necessary. But no matter how you watch for them, unauthorized APs and stations are going to surface. That's why you must have robust authenticated access controls so that unauthorized devices can't penetrate your network's security perimeter.
Can companies use the same penetration test tools for both wired and wireless networks? What's different about wireless test tools?
Many of the same port scanners and tools that probe systems for OS and application vulnerabilities are helpful for wireless LAN vulnerability assessment. For example, point them at stations to see if they are vulnerable to peer attack, or point them at APs to find unused services that should be disabled. Wireless LAN scanners do some of these things, but they also conduct other tests that require 802.11 and 802.1X support. For example, they may look for default SSIDs or send probes to see what 802.11 options an AP supports. They may watch WEP frames to detect known weak IVs that make key cracking easier. They may send 802.1X messages to verify that all APs require port access control, auditing compliance with site security policy. A complete vulnerability assessment looks at all layers and components and thus requires a mixture of test tools.
If wireless LANs are so vulnerable to intrusion and attack, should companies ban their use until new standards fix all the security problems?
I believe that banning wireless LANs is both short-sighted and doomed to fail. When properly secured, wireless LANs can reduce the cost of infrastructure, increase network flexibility and speed of deployment, and make workers more efficient and productive. Ignoring these opportunities may not be in the company's best interest. In addition, bans cannot prevent wireless from happening – they only cause wireless to be used without proper supervision and guidance. For example, how do you prevent travelers from using wireless hotspots? How do you stop teleworkers from putting wireless LANs in their homes, then using them to connect to the Internet from company laptops? The answer is that you can't. I believe companies need to deal with this challenge head-on by defining acceptable use policies, documenting best practices and supplying security software to keep these wireless users safe.
For more information, visit these resources:
- Solution Center: Wireless
- News & Analysis: Experts: Plan for wireless before rogue access points appear
- News & Analysis: War drive illustrates wireless problem
- Executive Security Briefing: Policy-driven WLAN security
This was first published in June 2003