Serious WLAN Security Threats: Part II
January 14, 2002
Here are some expert plumbing tips for patching the holes that we described in Part I of our series.
As we saw in Part I - though it was hardly a news flash - 802.11b wireless LANs can be, and usually are, a security nightmare.
For particularly security-conscious organizations, such as most federal government departments, WLANs remain a no-no, even more so since September 11 raised new fears of cyber terrorism.
On advice from experts like Jim Gemmel, a senior signals analyst with Washington-area systems integrator CACI International Inc., most federal agencies - especially military and intelligence organizations - won't use WLANs. The risk, given that government systems are perennially popular targets, is just too great.
"If government agencies don't properly secure their wireless LANs, I would say there's a 70- to 80-percent likelihood they will open up their enterprise LANs to eavesdroppers and hackers," Gemmel says.
But while 802.11b WLANs are certainly a security threat, as Gemmel laid out in detail last week, there are steps system administrators can take to reduce that threat.
This week: how to patch the holes.
Gemmel's WLAN security tips fall into two categories: those that work on the enterprise network side and those that work on the wireless LAN side.
- Firewall: Put wireless access points outside the enterprise firewall and set up rules that let in only the IP and/or MAC addresses of legitimate users.
This is by no means a final or perfect solution, Gemmel admits, because MAC and IP addresses can be spoofed or cloned. Like some of his other suggestions, he says, it's analogous to the anti-auto theft device, the club, which locks your steering wheel.
The club won't stop a determined car thief, but it's a deterrent. It slows him down and it may be enough to send him off looking for easier prey. The same goes for some of Gemmel's WLAN security suggestions.
- Radius: Along the same lines, and still on the enterprise side, install a radius server to authenticate WLAN users, forcing them to enter a log-in ID and password when they want to come inside the enterprise LAN. This is not a perfect solution either. It's inconvenient for users and does add some network overhead. "If you only have a few users, you're not going to have any problems," Gemmel says. "But if you have 1,000 users on the wireless side, you're going to start having [congestion] problems."
- Encryption: One refinement on this idea that he's currently researching is encrypting the radius ID and password, making them more difficult for eavesdroppers to intercept.
- VPN: A much more comprehensive solution, though one with some cost attached, is to use some kind of third-party encryption mechanism for all data on the WLAN. Best is a VPN (virtual private network).
A VPN can be implemented for a local area link as easily as for a wide area link. And it will support up to 3DES (triple Data Encryption Standard) - meaning the data is encrypted three times before transmission. Pretty strong security.
- WEP: Implement 802.11b WEP (wired equivalent protocol) encryption - even though, as everybody now knows, it can be compromised. WEP is another example of what Gemmel calls "the club syndrome." It won't stop a determined hacker, but it is a deterrent.
- SSIDs: One of the most common security mistakes made by WLAN administrators is to not change the default SSID (Service Set Identifier), the network ID attached to packets sent over WLANs. This is equivalent to leaving a default password in place.
And some organizations that do change the default SSID sometimes inadvertently help hackers by using SSIDs that offer clues on where to find data. For example, a company might use SSIDs for the WLAN segments on successive floors that include the floor numbers - kakhi1, kakhi2, kakhi3, etc.
A "war driver," a hacker who drives around looking for susceptible WLANs to infiltrate, can look at the directory in the building lobby to see which floor houses departments with sensitive data - like financial services - and then target that LAN segment by configuring his client adapter with the appropriate SSID.
Use a password generation program to produce new SSIDs on a regular basis and change all client devices, Gemmel suggests - although he admits this could be a "network administration nightmare" to manage.
- Broadcast: One technique he believes can be very effective is disabling regular broadcast of SSIDs, but only some vendors' systems allow it.
In a normally configured WLAN, access points broadcast the SSID of the local segment with every second packet to make it easier for client machines to associate with the WLAN on start-up. If you turn off SSID broadcasting, client machines must send out a probe asking if the SSID they want is available.
"So the only time the SSID is broadcast now is when a client adapter is associating, and chances are that's not going to happen very often," Gemmel explains. "All in all, it's a very good deterrent for keeping eavesdroppers from picking off SSIDs."
- Access points: Place access points away from windows, he suggests. The closer to the perimeter of the facility access points are located, the further coverage will extend beyond that perimeter. If you place access points well away from walls and windows, chances are the signal will be degraded enough to make intercepting packets outside tediously slow and unreliable.
- Intrusion detection: Use intrusion detection tools to periodically scan the network for rogue users. This is more a deterrent for illegal internal users - rogue departments that unilaterally decide to hook up an access point to the wired LAN and provision their own LAN extension services.
Use wireless packet sniffer programs. Some are available as freeware from the Web, though Gemmel won't name them because they're a key tool for hackers as well. Transmitted packet headers include MAC and IP addresses. If you know the MAC and IP addresses of all legal users, scanning with a sniffer will expose illegal users.
- DHCP: Use static IP addresses rather than a DHCP (Dynamic Host Configuration Protocol) server, Gemmel suggests. If you use DHCP, the network will automatically give a hacker configured with a stolen SSID a legal IP address.
If you use static IP addresses, the intruder must make the additional effort of figuring out the legal range for IP addresses in your network. To make the network even more secure, keep the range of legal IP addresses small.
Gemmel is the first to admit that even implementing all of these techniques won't guarantee 100-percent protection. But 100 per cent is a big number in the security racket, and any protection is better than none.