Like it or not, wireless LANs based on IEEE 802.11 are worming their way into enterprise networks. Road warriors are taking advantage of wireless "hot spots" at airports and hotels. Teleworkers are dropping wireless gateways behind DSL and cable modems at home. Once employees get hooked on the convenience of high-speed wireless, they become advocates for WLAN access back at the office.
Corporate policies that prohibit WLAN access are shortsighted. WLANs can increase business efficiency by overcoming IT barriers. Access points can be dropped into hard-to-wire locations, providing instant, flexible network connectivity. Anecdotal evidence and research surveys like this one conducted by Cisco demonstrate that authorized WLANs can be productive. The trick is to avoid unauthorized, unsecured WLANs.
What you can do
Start with a company policy that defines appropriate use of 802.11 wireless and provides guidance on secure deployment. For tips on how to secure WLANs, peruse the linked articles and FAQs compiled by SearchSecurity, The Internet Security Conference, Bernard Aboba and Chris Klaus. Listen to my SearchNetworking Webcasts on WLAN security tips and Using VPNs to secure WLANs. Read Hack proofing your wireless network, published by Syngress Media.
No matter how carefully crafted your security policy, testing your WLAN implementation is essential. Here are some tools that can assist in this endeavor.Site survey tools
Conduct a rudimentary search for open APs by wandering around with a laptop running WinXP or a promiscuous utility like the one included with Agere ORiNOCO cards. Or, try a shareware sniffer like NetStumbler, used by "war drivers" Peter Shipley and Craig Ellison. Commercial handheld analyzers like YellowJacket and AirMagnet can generate alarms when new APs are detected. Survey frequently, and don't forget to look for outsiders with RF footprints that stray into your territory. Wireless LAN analyzers
AirMagnet, WildPackets' AiroPeek and NAI SnifferWireless do more than discover APs. They analyze WLAN traffic, filtering packets against configurable alerts and thresholds. Use them to spot unexpected applications, APs using defaults or weak keys, excessive authentication failures and DHCP from unknown MAC addresses. Analyze trends to isolate traffic bursts from odd sources at odd times. Use signal strength gauges in AirMagnet to nail down the physical location of a suspected offender. Commercial sniffers pay for themselves over time with automated analysis and better reporting, but if you have a limited budget, consider open source Ethereal. Wireless vulnerability assessment
Penetration testers range from shareware like Nmap and Dsniff to commercial products like ISS Wireless Scanner. Scanners mimic attacks to isolate holes in your defense. Like analyzers, wireless scanners spot APs with default SSIDs and disabled WEP. They can also find open ports, default passwords and DHCP addresses handed to would-be intruders. Dsniff can assess vulnerability to MAC address, ARP and DNS spoofs -- attacks that occur on Ethernets but are easier on WLANs. Ideally, assessment should be performed from the wired and wireless side, before and after WLAN deployment, repeated regularly. Wireless intrusion detection
Wired network IDS products like Cisco IDS, Enterasys Dragon IDS, ISS RealSecure and open source Snort can be placed adjacent to APs to detect attacks originating from WLANs. One new product, AirDefense, claims to detect session hijacking, spoofing, identity theft and DoS attacks before those packets ever reach the wired network. IDS provide continuous, real-time monitoring, using automated analysis to ignore "false positives" and isolate real attacks. Doing so is still a challenge in wired networks, so don't expect IDS perfection in WLANs just yet.
Continuous improvementAn INT Media Research survey asked WLAN users to identify security "anomalies" experienced by their company during the past year. About 17% of those surveyed reported at least one incident of involving rogue APs or wireless stations associating with the wrong AP. A similar percentage reported war driving or active intrusions on their WLAN. Successful AP, station or wired network break-in had each occurred in about 3-4% of the companies surveyed.
These events were no surprise, but I was disappointed to find that less than a third of these organizations actually modified WLAN security as a result of the breach. Every security incident -- whether induced by self-testing, a third-party audit, or an actual attacker -- should be a lesson learned. Combining a solid security policy with continuous improvement can help you make the best of this promising new WLAN technology.
This was first published in July 2002