Guarding Against WLAN Security Threats
September 12, 2002
Because they use radio waves, WLANs are vulnerable to security threats. Learn how to make your WLAN stand up against hackers and casual snoopers.
In a previous tutorial, I discussed security threats that you must consider when deploying a wireless LAN. If you don't implement security mechanisms beyond default settings of the access points and radio NICs, then just about anyone can compromise the information on the network. Through effective security techniques, however, you can beef up the security of a wireless LAN to a degree that satisfies specific requirements.
Simple Security Techniques
In many cases, you may only need to employ deterrents to keep the causal snooper from messing with your wireless LAN. The following techniques offer partial security that works for all applications and are generally adequate for home and small office applications:
- Turn SSID broadcasting "off." This ensures that the access point doesn't include the SSID (service set identifier) in the beacon frames that are sent multiple times per second. Without the broadcasting of SSIDs, operating systems such as Windows XP will not discover the SSID and automatically configure the user's radio NIC. As a result, an intruder will have to find out the SSID through other, more difficult means. 802.11 association frames always include the SSID, even when SSID broadcasting is off. Thus, someone can use an 802.11 packet analyzer (e.g., AirMagnet or AiroPeek) and sniff the air while a legitimate user boots ups and associates with an access point. This requires enough effort (and expense) to cause most snoopers to go elsewhere. In some cases, though, it may not be practical to turn off SSID broadcasting. For example, you should broadcast SSIDs in public wireless LANs to provide open connectivity.
- Utilize static IP addresses. By default, most wireless LANs utilize DHCP (dynamic host configuration protocol) to more efficiently assign IP addresses automatically to user devices. A problem is that DHCP doesn't differentiate a legitimate user from a hacker. With a proper SSID, anyone implementing DHCP will obtain an IP address automatically and become a genuine node on the network. By disabling DHCP and assigning static IP addresses to all wireless users, you can minimize the possibility of the hacker obtaining a valid IP address. This limits their ability to access network services. Of course someone can use an 802.11 packet analyzer to sniff the exchange of frames over the network and learn what IP addresses are in use. This helps the intruder guess what IP address to use that falls within the range of ones in use. Thus, the use of static IP addresses isn't fool proof, but at least it's a deterrent. Also keep in mind that the use of static IP addresses in larger networks is very cumbersome, which may prompt network managers to use DHCP to avoid support issues.
- Turn WEP "on." There are certainly problems with WEP (wired equivalent privacy), but it's better than nothing. WEP encrypts the body of each 802.11 data frame, which makes it very difficult for someone with an 802.11 packet analyzer to decipher the actual data. There are methods and tools that hackers can use to untangle the encrypted data into something meaningful, but that generally requires someone with more technical ability than the common, causal snooper. As a result, the use of WEP acts like having a strong lock on the front door of your home. It keeps most people out, but someone with the right skills and motivation can pick the lock. This problem will eventually go away because 802.11 plans to solve the flaws of WEP through more advanced encryption methods (refer to a past tutorial for more details).
- Utilize shared key authentication. Most wireless LANs on the market today allow the use of this optional 802.11 feature, which helps avoid rogue radio NICs from gaining access to the network. When the authentication process occurs, the access point sends the radio NIC a string of challenge text. The radio NIC must encrypt the challenge text with its WEP key and send the encrypted version to the access point. After decrypting the challenge text with the common WEP key, the access point can determine that the radio NIC has the correct key if the challenge text matches what was sent initially. This forms the basis for allowing the NIC to authenticate with the access point. (Again, this mechanism is only as good as WEP. A determined hacker can still eventually break through.)
- Install/activate personal firewalls. This is something that many people overlook. In smaller networks, you generally keep all of your files on a personal computer or laptop. Without personal firewall protection, someone having legitimate or devious access to the wireless LAN can easily copy and open your files. Keep your files in access-protected directories to avoid others from stealing your files. Of course this applies to wired networks as well.
Advanced Security MechanismsIn addition to the above security techniques, consider the following tips that offer a greater degree of security to satisfy enterprise and vertical application requirements:
- Utilize a virtual private network (VPN). This involves the use of third-party encryption (e.g., triple Data Encryption Standard or 3DES) that affects all data on the WLAN. Generally, the user installs VPN client software on their wireless device, which communicates securely with the VPN network. This can be a relatively expensive and somewhat inflexible solution, but it provides excellent security.
- Implement mutual authentication mechanisms. Through the addition of a RADIUS server, 802.1X protocols, and possibly an access controller, you'll have a framework for deploying mutual authentication between users and access points. This reduces man-in-the-middle attacks, such as rogue access points. Many enterprise grade access points support these features. 802.1X provides port-based access control and mutual authentication between clients and access points via an authentication server, such as RADIUS. You'll need to also choose an authentication type, such as EAP-TLS or EAP-TTLS. Be sure to implement encryption of user names and passwords or use digital certificates to strengthen the authentication process. 802.1X also provides a method for distributing encryption keys dynamically to wireless LAN devices, which solves the key reuse problem found in the current version of 802.11 WEP.
- Place access points outside the enterprise firewall. To protect intruders from accessing corporate network resources, ensure that the wireless LAN access points remain outside the firewall. You can configure the firewall to enable access from legitimate users based on MAC addresses, which makes it difficult (but not impossible) for a hacker to mimic. In fact, you can also incorporate MAC address filtering using most enterprise-grade wireless LAN access points.
- Minimize radio wave propagation in non-user areas. Try orienting antennas to avoid covering areas outside the physically controlled boundaries of the facility. By steering clear of public areas, such as parking lots, lobbies, and adjacent offices, you'll significantly reduce the ability for an intruder to participate on the wireless LAN. This will also minimize the impact of someone disabling your wireless LAN with jamming techniques.
The Bottom Line
Don't count on wireless LANs being secure using factory default configurations and settings. Be sure to take into account security risks and implement techniques that guard against attacks. With today's technologies, you can make a wireless LAN just as secure --or more secure -- than Ethernet-based systems.
Jim Geier provides independent consulting services to companies developing and deploying wireless network solutions. He is the author of the book, Wireless LANs (SAMs, 2001), and regularly instructs workshops on wireless LANs.
Join Jim for discussions as he answers questions in the 802.11 Planet Forums.