| > | | | | statistic in 2001 by Gartner said that, at least |
| This document explains topics relating to wireless | | | | 20 percent of enterprises already have rouge |
| networks. The main topics discussed include, what | | | | access points. Another type of attack would |
| type of vulnerabilities exist today in 802.11 | | | | be if, someone from outside the organization, |
| networks and ways that you can help prevent | | | | enters into the workplace and adds an Access |
| these vulnerabilities from happening. Wireless | | | | Point by means of Social Engineering. |
| networks have not been around for many years. | | | | Insecure Network Configurations- Many |
| Federal Express has been using a type of wireless | | | | companies think that if they are using a firewall or |
| networks, common to the 802.11 networks used | | | | a technology such as VPN, they are automatically |
| today, but the general public has recently just | | | | secure. This is not necessarily true because all |
| started to use wireless networking technology. | | | | security holes, big and small, can be exploited. Also |
| Because of weak security that exists in wireless | | | | if devices and technologies, such as VPNs, |
| networks, companies such as Best Buy have | | | | firewalls or routers, are mis-configured, the |
| decided to postpone the roll-out of wireless | | | | network can be compromised. |
| technology. The United States Government has | | | | Accidental Associations — This can happen |
| done likewise and is suspending the use of | | | | if a wireless network is setup using the same |
| wireless until a more universal, secure solution is | | | | SSID as your network and within range of your |
| available. | | | | wireless device. You may accidentally associate |
| Background | | | | with their network without your knowledge. |
| What is Wireless? | | | | Connecting to another wireless LAN can divulge |
| Wireless LANs or Wi-Fi is a technology used to | | | | passwords or sensitive document to anyone on |
| connect computers and devices together. | | | | the neighboring network. Wireless LAN Security |
| Wireless LANs give persons more mobility and | | | | — What Hackers Know That You Don't |
| flexibility by allowing workers to stay connected | | | | Copyright 2002 |
| to the Internet and to the network as they roam | | | | Social Engineering — Social Engineering is |
| from one coverage area to another. This | | | | one of the most effective and scariest types of |
| increases efficiency by allowing data to be | | | | attacks that can be done. This type of attack |
| entered and accessed on site. | | | | really scares me and can be done for many other |
| Besides being very simple to install, WLANs are | | | | purposes besides compromising security in |
| easy to understand and use. With few exceptions, | | | | wireless networks. A scenario: Someone dressed |
| everything to do with wired LANs applies to | | | | up as a support person from Cisco enters the |
| wireless LANs. They function like, and are | | | | workplace. The secretary sees his fake |
| commonly connected to, wired Ethernet | | | | credentials and lets him get pass the front desk. |
| networks. | | | | The impersonator walks from cubicle to cubicle, |
| The Wireless Ethernet Compatibility Alliance | | | | collecting user names and passwords as he/she |
| [WECA] is the industry organization that certifies | | | | goes. After finding a hidden corner, which seems |
| 802.11 products that are deemed to meet a base | | | | to be lightly traveled, he plugs an insecure Access |
| standard of interoperability. The first family of | | | | Point into the network. At the same time he |
| products to be certified by WECA is that based | | | | configures the Access Point to not broadcast its |
| on the 802.11b standard. This set of products is | | | | SSID and modifies a few other settings to make |
| what we will be studying. Also more standards | | | | it hard for the IT department to find this Rouge |
| exist such as 802.11a and 802.11g. | | | | Access Point. He then leaves without ever being |
| The original 802.11 standard was published in 1999 | | | | questioned by anyone because it looks like he just |
| and provides for data rates at up to 2 Mbps at | | | | fits in. Now, all he has to do is be within 300 feet |
| 2.4 GHz, using either FHSS or DSSS. Since that | | | | from the access point, (more if he added an |
| time many task groups have been formed to | | | | antenna), and now has access to all kinds of |
| create supplements and enhancements to the | | | | secure documents and data. This can be a |
| original 802.11 standard. | | | | devastating blow to any corporation and could |
| The 802.11b TG created a supplement to the | | | | eventually lead to bankruptcy if the secrets of |
| original 802.11 standard, called 802.11b, which has | | | | the company were revealed to competitors. |
| become the industry standard for WLANs. It uses | | | | Bruce Schneier came to my classroom and said |
| DSSS and provides data rates up to 11 Mbps at | | | | the following about Social Engineering, |
| 2.4 Ghz. 802.11b will eventually be replaced by | | | | Someone is just trying to do their job, and be |
| standards which have better QoS features, and | | | | nice. Someone takes advantage of that by |
| better security. | | | | targeting this human nature. Social Engineering is |
| Network Topology | | | | unsolvable. |
| There are two main topologies in wireless | | | | Securing Wireless Networks |
| networks which can be configured: | | | | According to Bruce Schneier and others such as |
| Peer-to-peer (ad hoc mode) — This | | | | Kevin Mitnick, you can never have a totally secure |
| configuration is identical to its wired counterpart, | | | | computing environment. What is often suggested |
| except without the wires. Two or more devices | | | | is to try and control the damage which can be |
| can talk to each other without an AP. | | | | done if security is breached. One can try many |
| Client/Server (infrastructure networking) — | | | | different tools on the market which can help |
| This configuration is identical to its wired | | | | prevent security breaches. |
| counterpart, except without the wires. This is the | | | | WEP — WEP supports both 64 and 128-bit |
| most common wireless network used today, and | | | | keys. Both are vulnerable, however, because the |
| what most of the concepts in this paper apply to. | | | | initialization vector is only 24-bits long in each case. |
| Benefits of Wireless LANs | | | | Its RC4 algorithm, which is used securely in other |
| WLANs can be used to replace wired LANs, or as | | | | implementations, such as SSL, is quite vulnerable in |
| an extension of a wired infrastructure. It costs | | | | WEP. Wireless Insecurities By Dale Gardner. |
| far less to deploy a wireless LAN than to deploy a | | | | Different tools exist to break WEP keys, including |
| wired one. A major cost of installing and modifying | | | | AirSnort, which can be found at Although this |
| a wired network is the expense to run network | | | | method is not a secure solution, it can be used to |
| and power cables, all in accordance with local | | | | help slowdown an attacker if other means are not |
| building codes. Example of additional applications | | | | possible financially or otherwise. |
| where the decision to deploy WLANs include: | | | | VPN and IPSec- IPSec VPNs let companies |
| Additions or moves of computers. | | | | connect remote offices or wireless connections |
| Installation of temporary networks | | | | using the public Internet rather than expensive |
| Installation of hard-to-wire locations | | | | leased lines or a managed data service. Encryption |
| Wireless LANs give you more mobility and | | | | and authentication systems protect the data as it |
| flexibility by allowing you to stay connected to the | | | | crosses the public network, so companies don't |
| Internet and to the network as you roam. | | | | have to sacrifice data privacy and integrity for |
| Cons of Wireless LANs | | | | lower costs. A lot of VPN's exist on the market |
| Wireless LANs are a relatively new technology | | | | today. An important note about VPNs is, |
| which has only been around since 1999. With any | | | | interoperability does not really exist, and whatever |
| new technology, standards are always improving, | | | | you use for your server has to be the same |
| but in the beginning are unreliable and insecure. | | | | brand as your clients most of the time. Some |
| Wired networks send traffic over a dedicated line | | | | VPNs include: |
| that is physically private; WLANs send their traffic | | | | Borderware |
| over shared space, airwaves. This introduces | | | | BroadConnex Networks |
| interference from other traffic and the need for | | | | CheckPoint |
| additional security. Besides interference from | | | | Cisco |
| other wireless LAN devices, the 2.4 GHz is also | | | | Computer Associates |
| used by cordless phones and microwaves. | | | | DMZ — Adding this to your network |
| Security Issues of WLANs | | | | enables you to put your wireless network on an |
| War-driving | | | | untrusted segment of your network. |
| War-driving is a process in which an individual uses | | | | Firewalls — Firewalls are all over the place. |
| a wireless device such as a laptop or PDA to | | | | Firewalls range from hardware to software |
| drive around looking for wireless networks. Some | | | | versions. By adding a firewall between the |
| people do this as a hobby and map out different | | | | wireless network and wired network helps |
| wireless networks which they find. Other people, | | | | prevent hackers from accessing your wired |
| who can be considered hackers, will look for | | | | network. This paper doesn't go into specifics |
| wireless networks and then break into the | | | | about different firewalls and how to set them up, |
| networks. If a wireless is not secure, it can be | | | | but there are many. Some of the firewalls include: |
| fairly easy to break into the network and obtain | | | | - ZoneAlarm (an inexpensive based software |
| confidential information. Even with security, | | | | firewall) - Symantec has many different firewalls |
| hackers can break the security and hack. One of | | | | depending what you require. |
| the most prevalent tools used on PDAs and | | | | PKI - Public-key infrastructure (PKI) is the |
| Microsoft windows devices is, Network Stumbler, | | | | combination of software, encryption technologies, |
| which can be downloaded at Equipped with the | | | | and services that enables enterprises to protect |
| software and device, a person can map out | | | | the security of their communications and business |
| wireless access points if a GPS unit is attached. | | | | transactions on the Internet. What is PKI? |
| Adding an antenna to the wireless card increases | | | | Site Surveys — Site Surveys involve using |
| the capabilities of Wi-Fi. More information can be | | | | a software package and a wireless device to |
| found at: and to name a few. | | | | probe your network for Access Points and |
| War-chalking | | | | security risks. |
| War-chalking is a method of marking wireless | | | | Proactive Approaches |
| networks by using chalk most commonly. | | | | Since wireless technology is insecure, companies |
| War-driving is usually the method used to search | | | | or anyone can take a proactive approach to try |
| for networks, and then the person will mark the | | | | and identify hackers trying to gain access via |
| network with chalk that gives information about | | | | wireless networks. |
| the network. Some of the information would | | | | Honeypots — are fake networks setup to |
| include, what the network name is, whether the | | | | try and lure in hackers. This enables administrators |
| network has security, and possibly the contact | | | | to find out more about what type of techniques |
| information of who owns the network. If your | | | | hackers are using to gain access. One product is |
| wireless network is War-chalked and you don't | | | | Mantrap created by Symantec. |
| realize it, your network can be used and/or | | | | ManTrap has the unique ability to detect both |
| broken into faster, because of information shown | | | | host- and network-based attacks, providing hybrid |
| about your network. | | | | detection in a single solution. No matter how an |
| Eavesdropping & Espionage | | | | internal or external attacker tries to compromise |
| Because wireless communication is broadcast | | | | the system, Symantec ManTrap's decoy sensors |
| over radio waves, eavesdroppers who just listen | | | | will deliver holistic detection and response and |
| over the airwaves can easily pick up unencrypted | | | | provide detailed information through its system of |
| messages. These intruders put businesses at risk | | | | data collection modules. |
| of exposing sensitive information to corporate | | | | Intrusion Detection — Intrusion Detection is |
| espionage. Wireless LAN Security — What | | | | software that monitors traffic on the network. It |
| Hackers Know That You Don't Copyright 2002 | | | | sounds out a warning if a hacker it trying to |
| Internal Vulnerabilities | | | | access the network. One such free product is |
| Within an organization network security can be | | | | Snort. |
| compromised by ways such as, Rouge WLANs | | | | Before we proceed, there are a few basic |
| (or Rouge Aps), Insecure Network Configuration, | | | | concepts you should understand about Snort. |
| and Accidental Associations to name a few. | | | | There are three main modes in which Snort can |
| Rouge Access Points — An employee of | | | | be configured: sniffer, packet logger, and network |
| an organization might hook up an access point | | | | intrusion detection system. Sniffer mode simply |
| without the permission or even knowledge of IT. | | | | reads the packets off of the network and |
| This is simple to do, all a person has to do is plug | | | | displays them for you in a continuous stream on |
| an Access point or wireless router into an existing | | | | the console. Packet logger mode logs the packets |
| live LAN jack and they are on the network. One | | | | to the disk. |