Wireless LAN Security Assessments Steps
November 20, 2002
Ensure your wireless LAN complies with the latest security mechanisms. Learn the steps necessary for conducting a wireless LAN security assessment.
After deploying a wireless LAN, you need to implement a security assessment, which ensures that the WLAN complies with effective security policies. For most situations, this is necessary whether or not the network implements effective security mechanisms. Don't put too much trust in the design of a system. It's best to run tests to be certain that the network is hardened enough to guard against unauthorized persons attacking company resources.
In fact companies should conduct regular, periodic security reviews to ensure that changes to the WLAN don't make the system vulnerable to hackers. A review once each year may suffice for low risk networks, but a review each quarter or more often may be necessary if the network supports high risk information (e.g., financial data, postal mail routing, manufacturing control functions, etc.).
When performing a wireless LAN security assessment, consider completing the following steps:
- Review existing security policies. Before getting too far with the
security assessment, become familiar with the policies that the company has
regarding wireless LAN security. This provides a benchmark for determining
whether or not a company is complying with their own policies. In addition,
you'll be able to make an assessment and corresponding recommendations for
policy modifications. Determine whether the policy leaves any room for a hacker
(e.g., a disgruntled employee) to access or harm company resources.
For example, the policy should describe adequate encryption and authentication mechanisms, keeping in mind that 802.11 WEP <DEFINE: WEP> is broken. Also, the policy should mandate that all employees coordinate with the company's information systems organization before purchasing or installing access points. It's very important that all access points have configuration settings that comply with the policies and provide the proper level of security. In addition, you need to ensure that methods are in place that disseminates security policies to employees in an effective manner. For more on the types of security policies to consider, refer to a previous tutorial.
- Review the system architecture and configurations. Meet with information systems personnel and read through related documentation to gain an understanding of the system's architecture and configurations of access points. You'll need this to determine whether there are any design flaws that provide weaknesses that could allow a hacker inside the system. AirSnort to break through the encryption process. In addition, the dependence on 802.11 authentication alone will only verify the radio NIC and not the user, which could allow an unauthorized person to steal someone's wireless-equipped laptop and access the corporate network. For example if static WEP is in use, then a hacker could utilize tools such as
- Review operational support tools and procedures. Some security weaknesses materialize when a company supports a WLAN. As a result, learn as much as possible about existing support tools and procedures to spot potential issues. Most companies, for example, configure the access points over the wired Ethernet backbone. With this process, the passwords sent to open a connection with a particular access points is sent in the clear (i.e., unencrypted) over the wired network. As a result, a hacker with monitoring equipment hooked to the Ethernet network can likely capture the passwords and reconfigure the access point.
- Interview users. Be sure to talk with a sample of employees to determine whether they are aware of the security policies, at least to a level of security that they can control. For example, do the users know that they must coordinate the purchase and installation of wireless LAN components with the appropriate organization? Even thought the policy states this, don't count on everyone having knowledge of the policy. A new employee or someone who hasn't seen the policy may purchase an access point from a local office supply store and install it on the corporate network (without any security settings enabled) to provide wireless connectivity within their office. It's also a good idea to verify that people are using personal firewalls (or that they know they should).
- Verify configurations of wireless devices. A portion of the security
policy should define appropriate access point configurations that will offer
an applicable level of security. As part of the assessment, walk through the
facilities having access points and use tools such as AirMagnet
or AiroPeek to capture the access point
configurations. If the company has centralized support software (such as AirWave
or CiscoWorks) in place, then you should be
able to view the configuration settings from a single console attached to
the wired side of the network. This is to determine which security mechanisms
are actually in use and whether or not they comply with effective policies.
For example, the policies may state that access points must disable the physical console port, but while testing you determine that most access points have the ports enabled. Of course this would indicate non-compliance with the policies, and it would enable a hacker to possibly reset the access point to factory default settings with no security enabled. In addition, look at the firmware version of each access point to see if it's up-to-date. Older firmware versions might not implement the more recent patches that fix encryption vulnerabilities.
- Investigate physical installations of access points. As you walk through the facilities, investigate the installation of access points by noting their physical accessibility, antenna type and orientation, and radio wave propagation into portions of the facility that don't have physical security controls. The access points should be mounted in a position that would make it difficult for someone to go unnoticed and physically handle the access point. An access point simply placed on top of book shelf, for example, would make it easy for a hacker to swap the access point with an open one that doesn't have any security enabled. Or, the hacker could attach a laptop to the console port to reset the access point. If the access points are all mounted above the ceiling tiles and out of plain view, however, someone would need to use a ladder and would probably be noticed by an employee or security guard.
- Identify rogue access points. A problem that's difficult to enforce and significantly undercuts the security of the wireless LAN is when an employee installs a "personal" access point in their office. Most of the time, these installations don't comply with security policies and result in an open, non-secure entry port to the corporate network. In fact, a hacker can utilize sniffing tools to alert them when such an opportunity exists. As a result, scan for these unauthorized access points as part of the assessment. Most companies will be surprised to learn how many they'll find. The most effective method for detecting rogue access points is to walk through the facilities with sniffing tools, such as AirMagnet or AiroPeek. In addition, the company should periodically scan the network for potential rogue access points from the wired side of the network.
- Perform penetration tests. In addition to hunting for rogue access points, try going a step further and attempt to access corporate resources using tools common tools available to hackers. For instance, can you utilize AirSnort to crack through WEP? Is it possible to associate with an access point from outside the company's controlled perimeter? Of course if WEP is turned off, then your job will be easy. If strong encryption and authentication techniques are in use, then you'll likely not find a way in.
- Analyze security gaps. The information you gather during the assessment provides a basis for understanding the security posture of a company or organization. After collecting information in the above steps, spend some time thinking about potential gaps in security. This includes issues with policy, network architecture, operational support, and other items that weaken security, such as presence of unauthorized access points and abilities to penetrate the network. This requires you to think like a hacker and uncover any and all methods that make it easier for someone to penetrate and access (or control) company resources through the wireless LAN.
- Recommend improvements. As you spot weaknesses in the security of the wireless LAN, research and describe methods that will counter the issues. Start by recommending improvements to the policies, which dictate what the company requires in terms of security for the wireless LANs. This provides a basis for defining technical and procedural solutions that will strengthen the security of the system to a level that protects the company's interests.
With these steps in mind, you're on the right tract to performing a wireless LAN security assessment.
Jim Geier provides independent consulting services to companies developing and deploying wireless network solutions. He is the author of the book, Wireless LANs (SAMs, 2001) and offers computer-based training (CBT) courses on wireless LANs.
Join Jim for discussions as he answers questions in the 802.11 Planet Forums.