| This document explains topics relating to wireless | | | | statistic in 2001 by Gartner said that, "at least 20 |
| networks. The main topics discussed include, what | | | | percent of enterprises already have rouge access |
| type of vulnerabilities exist today in 802.11 | | | | points." Another type of attack would be if, |
| networks and ways that you can help prevent | | | | someone from outside the organization, enters |
| these vulnerabilities from happening. Wireless | | | | into the workplace and adds an Access Point by |
| networks have not been around for many years. | | | | means of Social Engineering. |
| Federal Express has been using a type of wireless | | | | Insecure Network Configurations- Many |
| networks, common to the 802.11 networks used | | | | companies think that if they are using a firewall or |
| today, but the general public has recently just | | | | a technology such as VPN, they are automatically |
| started to use wireless networking technology. | | | | secure. This is not necessarily true because all |
| Because of weak security that exists in wireless | | | | security holes, big and small, can be exploited. Also |
| networks, companies such as Best Buy have | | | | if devices and technologies, such as VPNs, |
| decided to postpone the roll-out of wireless | | | | firewalls or routers, are mis-configured, the |
| technology. The United States Government has | | | | network can be compromised. |
| done likewise and is suspending the use of | | | | Accidental Associations - This can happen if a |
| wireless until a more universal, secure solution is | | | | wireless network is setup using the same SSID as |
| available. | | | | your network and within range of your wireless |
| Background | | | | device. You may accidentally associate with their |
| What is Wireless? | | | | network without your knowledge. Connecting to |
| Wireless LANs or Wi-Fi is a technology used to | | | | another wireless LAN can divulge passwords or |
| connect computers and devices together. | | | | sensitive document to anyone on the neighboring |
| Wireless LANs give persons more mobility and | | | | network. Wireless LAN Security - What Hackers |
| flexibility by allowing workers to stay connected | | | | Know That You Don't Copyright 2002 |
| to the Internet and to the network as they roam | | | | Social Engineering - Social Engineering is one of the |
| from one coverage area to another. This | | | | most effective and scariest types of attacks that |
| increases efficiency by allowing data to be | | | | can be done. This type of attack really scares me |
| entered and accessed on site. | | | | and can be done for many other purposes |
| Besides being very simple to install, WLANs are | | | | besides compromising security in wireless |
| easy to understand and use. With few exceptions, | | | | networks. A scenario: Someone dressed up as a |
| everything to do with wired LANs applies to | | | | support person from Cisco enters the workplace. |
| wireless LANs. They function like, and are | | | | The secretary sees his fake credentials and lets |
| commonly connected to, wired Ethernet | | | | him get pass the front desk. The impersonator |
| networks. | | | | walks from cubicle to cubicle, collecting user |
| The Wireless Ethernet Compatibility Alliance | | | | names and passwords as he/she goes. After |
| [WECA] is the industry organization that certifies | | | | finding a hidden corner, which seems to be lightly |
| 802.11 products that are deemed to meet a base | | | | traveled, he plugs an insecure Access Point into |
| standard of interoperability. The first family of | | | | the network. At the same time he configures the |
| products to be certified by WECA is that based | | | | Access Point to not broadcast its SSID and |
| on the 802.11b standard. This set of products is | | | | modifies a few other settings to make it hard for |
| what we will be studying. Also more standards | | | | the IT department to find this Rouge Access |
| exist such as 802.11a and 802.11g. | | | | Point. He then leaves without ever being |
| The original 802.11 standard was published in 1999 | | | | questioned by anyone because it looks like he just |
| and provides for data rates at up to 2 Mbps at | | | | fits in. Now, all he has to do is be within 300 feet |
| 2.4 GHz, using either FHSS or DSSS. Since that | | | | from the access point, (more if he added an |
| time many task groups have been formed to | | | | antenna), and now has access to all kinds of |
| create supplements and enhancements to the | | | | secure documents and data. This can be a |
| original 802.11 standard. | | | | devastating blow to any corporation and could |
| The 802.11b TG created a supplement to the | | | | eventually lead to bankruptcy if the secrets of |
| original 802.11 standard, called 802.11b, which has | | | | the company were revealed to competitors. |
| become the industry standard for WLANs. It uses | | | | Bruce Schneier came to my classroom and said |
| DSSS and provides data rates up to 11 Mbps at | | | | the following about Social Engineering, "Someone is |
| 2.4 Ghz. 802.11b will eventually be replaced by | | | | just trying to do their job, and be nice. Someone |
| standards which have better QoS features, and | | | | takes advantage of that by targeting this human |
| better security. | | | | nature. Social Engineering is unsolvable." |
| Network Topology | | | | Securing Wireless Networks |
| There are two main topologies in wireless | | | | According to Bruce Schneier and others such as |
| networks which can be configured: | | | | Kevin Mitnick, you can never have a totally secure |
| Peer-to-peer (ad hoc mode) - This configuration is | | | | computing environment. What is often suggested |
| identical to its wired counterpart, except without | | | | is to try and control the damage which can be |
| the wires. Two or more devices can talk to each | | | | done if security is breached. One can try many |
| other without an AP. | | | | different tools on the market which can help |
| Client/Server (infrastructure networking) - This | | | | prevent security breaches. |
| configuration is identical to its wired counterpart, | | | | WEP - WEP supports both 64 and 128-bit keys. |
| except without the wires. This is the most | | | | Both are vulnerable, however, because the |
| common wireless network used today, and what | | | | initialization vector is only 24-bits long in each case. |
| most of the concepts in this paper apply to. | | | | Its RC4 algorithm, which is used securely in other |
| Benefits of Wireless LANs | | | | implementations, such as SSL, is quite vulnerable in |
| WLANs can be used to replace wired LANs, or as | | | | WEP. Wireless Insecurities By Dale Gardner. |
| an extension of a wired infrastructure. It costs | | | | Different tools exist to break WEP keys, including |
| far less to deploy a wireless LAN than to deploy a | | | | AirSnort, which can be found at Although this |
| wired one. A major cost of installing and modifying | | | | method is not a secure solution, it can be used to |
| a wired network is the expense to run network | | | | help slowdown an attacker if other means are not |
| and power cables, all in accordance with local | | | | possible financially or otherwise. |
| building codes. Example of additional applications | | | | VPN and IPSec- IPSec VPNs let companies |
| where the decision to deploy WLANs include: | | | | connect remote offices or wireless connections |
| Additions or moves of computers. | | | | using the public Internet rather than expensive |
| Installation of temporary networks | | | | leased lines or a managed data service. Encryption |
| Installation of hard-to-wire locations | | | | and authentication systems protect the data as it |
| Wireless LANs give you more mobility and | | | | crosses the public network, so companies don't |
| flexibility by allowing you to stay connected to the | | | | have to sacrifice data privacy and integrity for |
| Internet and to the network as you roam. | | | | lower costs. A lot of VPN's exist on the market |
| Cons of Wireless LANs | | | | today. An important note about VPNs is, |
| Wireless LANs are a relatively new technology | | | | interoperability does not really exist, and whatever |
| which has only been around since 1999. With any | | | | you use for your server has to be the same |
| new technology, standards are always improving, | | | | brand as your clients most of the time. Some |
| but in the beginning are unreliable and insecure. | | | | VPNs include: |
| Wired networks send traffic over a dedicated line | | | | Borderware |
| that is physically private; WLANs send their traffic | | | | BroadConnex Networks |
| over shared space, airwaves. This introduces | | | | CheckPoint |
| interference from other traffic and the need for | | | | Cisco |
| additional security. Besides interference from | | | | Computer Associates |
| other wireless LAN devices, the 2.4 GHz is also | | | | DMZ - Adding this to your network enables you |
| used by cordless phones and microwaves. | | | | to put your wireless network on an untrusted |
| Security Issues of WLANs | | | | segment of your network. |
| War-driving | | | | Firewalls - Firewalls are all over the place. Firewalls |
| War-driving is a process in which an individual uses | | | | range from hardware to software versions. By |
| a wireless device such as a laptop or PDA to | | | | adding a firewall between the wireless network |
| drive around looking for wireless networks. Some | | | | and wired network helps prevent hackers from |
| people do this as a hobby and map out different | | | | accessing your wired network. This paper doesn't |
| wireless networks which they find. Other people, | | | | go into specifics about different firewalls and how |
| who can be considered hackers, will look for | | | | to set them up, but there are many. Some of |
| wireless networks and then break into the | | | | the firewalls include: |
| networks. If a wireless is not secure, it can be | | | | - ZoneAlarm (an inexpensive based software |
| fairly easy to break into the network and obtain | | | | firewall) - Symantec has many different firewalls |
| confidential information. Even with security, | | | | depending what you require. |
| hackers can break the security and hack. One of | | | | PKI - Public-key infrastructure (PKI) is the |
| the most prevalent tools used on PDAs and | | | | combination of software, encryption technologies, |
| Microsoft windows devices is, Network Stumbler, | | | | and services that enables enterprises to protect |
| which can be downloaded at Equipped with the | | | | the security of their communications and business |
| software and device, a person can map out | | | | transactions on the Internet. What is PKI? |
| wireless access points if a GPS unit is attached. | | | | Site Surveys - Site Surveys involve using a |
| Adding an antenna to the wireless card increases | | | | software package and a wireless device to probe |
| the capabilities of Wi-Fi. More information can be | | | | your network for Access Points and security |
| found at: and to name a few. | | | | risks. |
| War-chalking | | | | Proactive Approaches |
| War-chalking is a method of marking wireless | | | | Since wireless technology is insecure, companies |
| networks by using chalk most commonly. | | | | or anyone can take a proactive approach to try |
| War-driving is usually the method used to search | | | | and identify hackers trying to gain access via |
| for networks, and then the person will mark the | | | | wireless networks. |
| network with chalk that gives information about | | | | Honeypots - are fake networks setup to try and |
| the network. Some of the information would | | | | lure in hackers. This enables administrators to find |
| include, what the network name is, whether the | | | | out more about what type of techniques hackers |
| network has security, and possibly the contact | | | | are using to gain access. One product is Mantrap |
| information of who owns the network. If your | | | | created by Symantec. |
| wireless network is War-chalked and you don't | | | | "ManTrap has the unique ability to detect both |
| realize it, your network can be used and/or | | | | host- and network-based attacks, providing hybrid |
| broken into faster, because of information shown | | | | detection in a single solution. No matter how an |
| about your network. | | | | internal or external attacker tries to compromise |
| Eavesdropping & Espionage | | | | the system, Symantec ManTrap's decoy sensors |
| Because wireless communication is broadcast | | | | will deliver holistic detection and response and |
| over radio waves, eavesdroppers who just listen | | | | provide detailed information through its system of |
| over the airwaves can easily pick up unencrypted | | | | data collection modules." |
| messages. These intruders put businesses at risk | | | | Intrusion Detection - Intrusion Detection is |
| of exposing sensitive information to corporate | | | | software that monitors traffic on the network. It |
| espionage. Wireless LAN Security - What Hackers | | | | sounds out a warning if a hacker it trying to |
| Know That You Don't Copyright 2002 | | | | access the network. One such free product is |
| Internal Vulnerabilities | | | | Snort. |
| Within an organization network security can be | | | | "Before we proceed, there are a few basic |
| compromised by ways such as, Rouge WLANs | | | | concepts you should understand about Snort. |
| (or Rouge Aps), Insecure Network Configuration, | | | | There are three main modes in which Snort can |
| and Accidental Associations to name a few. | | | | be configured: sniffer, packet logger, and network |
| Rouge Access Points - An employee of an | | | | intrusion detection system. Sniffer mode simply |
| organization might hook up an access point | | | | reads the packets off of the network and |
| without the permission or even knowledge of IT. | | | | displays them for you in a continuous stream on |
| This is simple to do, all a person has to do is plug | | | | the console. Packet logger mode logs the packets |
| an Access point or wireless router into an existing | | | | to the disk. |
| live LAN jack and they are on the network. One | | | | |