I recently had the privilege of speaking at the Networld+Interop conference in Las Vegas. When I speak at conferences, I usually go in the day of my presentation, give my talk and take the next plane back home. But this time I decided to spend some time listening to other presentations and walking through the exhibit halls.
The most-talked-about technology at the show was, by far, wireless LAN. In fact, many companies had set up multiple wireless access points though the conference area, allowing anyone with a wireless network connection device to attach themselves to the wireless connection. At one point with my laptop (running Windows XP), I counted 11 access points while sitting in the speaker's lounge. Imagine if this was your company and you had visible access points available to anyone within a close distance to your organization. Think about it. Would you ever allow a live Ethernet plug connection to be available on the outside of your building, allowing anyone with a computer, a network card and a cable to plug in and gain access to your company resources? Of course not. But when it comes to some default wireless LAN installations, this is exactly what you are allowing.
So what is the deal with wireless LANs (WLANs)? Let's start by defining the various WLAN implementations available. The Institute of Electrical and Electronics Engineers (IEEE) approved the first wireless LAN standard, 802.11, in 1997. This initial standard supported speeds up to 2 Mbps. Then in 1999, the IEEE approved both the 802.11a and 802.11b standards. Because the technology in the 802.11b (also known as Wi-Fi) was easier to implement, products supporting this standard appeared first in the marketplace. Wi-Fi operates in the 2.4 GHz band and can achieve speeds of up to 11M bit/sec. As you might have noticed in the computer stores, 802.11a (also known as Wi-Fi5) products are now being sold. Wi-Fi5 operates in the 5 GHz band and can achieve speeds up to 54 Mbps. There are other WLAN standards being adopted, including 802.11g and 802.11i. There are a few others, but we will limit our discussion to WLAN security in general.
A standard WLAN configuration contains one or more Access Points (AP) and client machines with WLAN network cards. The Access Points are then placed at various locations, allowing the clients to be able to connect to the network. Sounds easy enough, but there are several problems:
- The authorization on most Access Points is done using the Media Access Control (MAC) address. This can be easily spoofed.
- The default configuration of most Access Points allow for any client to connect to it.
- Most Access Points use SNMP (with well-known community strings) for configuration management.
- The standard WEP (Wired Equivalent Privacy) encryption is inherently very weak (only 40 bits) and can be broken quite easily. WEP is disabled in most default configurations.
- Access Points and wireless cards come with omni-directional antennas, making it difficult to configure so that the wireless range is confined correctly.
So what can you do to protect your network when using WLAN? Here are a few things you can implement:
- Perform a risk assessment to determine the risk associated with using WLAN in your environment.
- Believe it or not, you should enable WEP. Sure, WEP can be broken, but having something is better than nothing. WEP won't stop a sophisticated attacker, but it will thwart those casual snoopers.
- Change the default SNMP community strings.
- Change the default Access Point Service Set ID (SSID). Then the client machines will have to know the name in order to connect.
- Change the default password that is used for Access Point administration.
- Consider placing the Access Point(s) in your DMZ or using a VPN for the establishment of an encrypted session.
- Don't use the WLAN for the transmission of sensitive or secret information.
- Perform vulnerability checks on your WLAN just like you would do on your wired network.
Even if you implement all of these recommendations, you most likely will still be vulnerable to possible attacks. All of the WLAN exploits have yet to be discovered. So the best thing to do is to continue your research, and make configuration changes as new exploits are revealed.
About the author
Mark Edmead, CISSP, SSCP, TICSA, is president of MTE Software, Inc. (www.mtesoft.com), and has more than 25 years of experience in software development, product development and network systems security. He is co-author of the book Windows NT: Performance, Monitoring and Tuning published by New Riders and editor of the SANS Business Continuity/Disaster Recovery Plan Step-by-Step Guide.
ADDITIONAL SOURCES OF INFORMATION
www.80211-planet.com -- Great reference source with the latest information on wireless LAN. There is also a link that allows you to find 802.11 hot spots by city.
www.wlana.org -- A non-profit educational trade association that provides a clearinghouse of information on WLAN applications, issues and trends.
www.wirelessethernet.org -- The Wireless Ethernet Compatibility Alliance. Its mission is to certify interoperability of Wi-Fi products.
www.wirelessdevnet.com -- The Wireless Developer Network. Not just for WLAN but also SMS, Bluethooth and other wireless technologies.
http://rr.sans.org/wireless/equiv.php -- Great paper that explains the WEP encryption vulnerability.
www.airmagnet.com -- Many products are coming out that can help system administrators and network security experts how to determine the vulnerability of their wireless network. AirMagnet is a WLAN administration and diagnostic tool. There are similar products available including AirSnort and NetStumbler.
This was first published in May 2002