It often seems to me that the term wireless network has become almost synonymous with the term insecure. Ever since wireless networks first started becoming popular, the Internet has been flooded with stories of wireless security nightmares. Rogue access points, parking lot spies, and Pringles can antennas have all been headaches that administrators of wireless networks have had to deal with. To make a statement that wireless networks are more secure than wired networks seems absolutely ludicrous, but is it true?
Let me start off by saying that I don’t believe that wireless networks are more secure than wired networks as a whole. However, there are certain aspects of wireless network security that are superior to what’s traditionally used on wired networks. There are two main reasons for this.
The first reason why some wireless security mechanisms are better than those used on wired networks has to do with the image problem that has plagued wireless networks since the beginning. Wireless networks have always had a reputation for being insecure. Even so, there has been an unprecedented demand for wireless hardware. Being that wireless networks have become so popular, dozens of companies have invested big bucks into developing products and architectures designed to make wireless networks secure. Of course there are plenty of security products for wired networks as well, but the security solutions for wireless networks seem to me a little more unique and imaginative.
The other reason why wireless networks tend to be more secure than wired networks in some regards is because of the overall philosophy behind the network. For example, imagine that you created a small network with a Windows 2003 Server and five workstations running Windows XP. The machines are all brand new and no one has touched any of the hardware except for you. You have installed all of the operating systems, applications, and security patches. The PCs have never been exposed to end users or to the Internet. The question that I am asking you is do you trust the workstations on your network? Of course you do.
Now, let’s turn the situation around a little bit. Let’s assume that everything is the same as before, but the server and the PCs are all a part of a wireless network rather than being wired to a switch. Assuming that your wireless access point is running an out of the box configuration, do you trust the PCs on your network? Hopefully, you said no because with a generic wireless network configuration, you have no way of guaranteeing that the PCs connecting to your wireless network are really your PCs. Sure, your PCs are connected to the wireless network, but your neighbors can also connect to your network as well.
The point that I am trying to make is that the overall philosophy behind wired networks vs. wireless networks is trust. On a wired network, the hardware is under the direct control of the network administrator, and therefore, the overall attitude toward the workstations tends to be one of trust. On a wireless network, it is a well known fact that someone could sit in the parking lot with a laptop and access your wireless network. Therefore, the general attitude toward wireless workstations tends to be one of extreme distrust.
This difference in attitude often causes the same administrators who go to extreme lengths at securing a wireless network, to almost neglect wired network security. Let me ask you another question though. Are there any unused network jacks or unused switch ports in your office? If someone was able to sneak into the office and plug a laptop into one of these unused jacks, would you still have the same level of trust in the hardware on your wired network?
One of the most basic features included in most wireless access points is a list of workstations that are allowed to access the wireless network. This feature allows you to enter the MAC address of each wireless NIC that your company owns. That way, if someone attempts to connect to your network, the access point checks to see if the NICs MAC address is allowed. If not, then the connection is denied.
This technology isn’t absolutely perfect though. There are still a couple of ways that a hacker could breach the wireless network. For example, some NICs allow you to set the MAC address to an address of your choice. A hacker could spy on the network, get the address of a valid NIC and then assign that address to their own NIC. It is also possible that a hacker could steal one of your NICs and use it to gain access to the network.
At the same time though, you have to remember that a media access control filter is not your only line of defense. It is an excellent starting point though. The problem is that most wired networks do not have such a feature in place. Administrators assume that every PC on the wired network has a right to be there, so there’s no reason to implement a media access control filter.
OK, I’ll admit that the chances of someone just walking in off the street and plugging a laptop into an empty network jack are pretty slim. Think about this though. Rogue access points have been a huge problem for corporations. There have been countless situations in which a company doesn’t want a wireless network, but an employee does, so they set up their own access point. There have also been cases in which an employee is mad because they weren’t granted access to the wireless access point, so they set up their own.
An employee doesn’t need a spare network jack to set up a rogue access point. Access points usually have a mini-hub built in. A user could just unplug their PC and plug the access point into the network jack that the PC had been using. They can then plug their PC into the access point. So what does this have to do with media access controls? Most wireless access points have a MAC address of their own. Therefore, if your wired network had a MAC address filter in place, then the rogue access point would never be able to gain access to the rest of the network.
Would you communicate across a wireless network without using encryption? Of course not, but many of the wired networks allow the majority of communications to go unencrypted. Wired networks are just as prone to eavesdropping as wireless networks are. The only difference is that wireless networks can be snooped on by outsiders, and snooping on a wired network requires a physical connection. Even so, I have seen plenty of instances in which an employee uses a protocol analyzer to spy on co-workers.
Microsoft began offering IPSec encryption with Windows 2000, and continues to offer it in Windows Server 2003 and in Windows XP. However, many companies choose to only encrypt traffic flowing between servers. Although there are certainly exceptions, the bulk of the traffic flowing between servers and workstations is typically not encrypted.
A couple of years ago, conventional wisdom stated that most workstation traffic should not be encrypted because of the burden that encryption places on the network. The encryption and decryption process consumes processing power, and encrypted packets typically consume more network bandwidth.
Although these may have been valid arguments at one time, I believe that the time has come to encrypt all network traffic. Network cards exist that can handle the encryption and decryption process without having to burden the processor. Likewise, gigabit network cards have become cheap enough that the extra bandwidth required by encrypted packets should no longer be a huge issue.
One of the other ways that wireless network security has surpassed wired security is in the way that it is isolated. In many companies, anything coming in through a wireless access point is automatically assumed to be non trustworthy, until the sender can prove otherwise. Because the air waves are assumed to be an insecure medium, wireless traffic is handled in a different way than wired traffic. Companies will typically establish a VPN for wireless users.
The idea is that when a user attaches to a wireless network, they are completely isolated from the rest of the network until they have been authenticated. Often, the authentication mechanism isn’t even allowed direct access to a domain controller. Instead, a RADIUS server is typically used to authenticate wireless users. Once authentication has been established, then the user communicates with the network through a secure tunnel.
What is interesting about this is that the VPN like connection uses its own encryption. At the same time though, the wireless signal is already encrypted by using WPA or something similar. This means that legitimate wireless traffic is double encrypted, using two completely different encryption protocols.
In my opinion, isolating segments of a wired network and requiring RADIUS authentication is probably overkill in most cases. It is a good example though of a way in which wireless security mechanisms are more stringent than those used on wired networks.
Although I don’t believe that wireless networks are more secure than wired networks as a general rule, there’s little question that a greater emphasis is placed on wireless security than on wired security. If you are really concerned about the security of your wired network, then it may be worth taking a look at the security mechanisms used on your wireless network and seeing if any of those techniques can be adapted to your wired network.