Wireless Security Primer (Part II)
"For a complete guide to security, check out 'Security+ Study Guide and DVD Training System' from Amazon.com"
In this article, we will discuss what every Wireless Administrator should do (or think about) to keep their Wireless LANs (WLANs) safe and secure. Every time you deploy a Wireless network, you should always ask yourself the following questions outlined within this article. Much has been done to secure wireless transmissions, but there are still items missed that can help your security posture, that many administrators are still not doing and are very important. Before you read this article, you can read my other two Wireless articles, which are primers and lead up to this one. You can find them here: Wireless Attacks Primer and Wireless Security Primer 101 (Part I) of this article. Between all three articles, you should have a good understanding or Wireless and the security fundamentals behind it.
Enable and configure WEP
From the IEEE, we have standards such as 802.11b. As part of those standards, there must be a way to secure Wireless transmissions the same way that they are secured on a Wired network. WEP - hence the name 'Wired Equivalent Privacy'. Wired Equivalent Privacy (WEP) is a security protocol, specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11b, which is designed to provide a wireless local area network (WLAN) with a level of security and privacy comparable to what is usually expected of a wired LAN. Radio Waves are not bound by walls nor wires, so it's hard to protect access to wireless with physical based control. If your Wireless network is not secured properly, it will be very easy for an attacker to penetrate your network especially if you think its secures like a wired network can be locked down. WEP seeks to establish similar protection to that offered by the wired network's physical security measures by encrypting data transmitted over the WLAN. WEP, with strengths of 40/64 bit and 128bit, will allow you to achieve security over your wireless network. Encryption protects the highly vulnerable wireless system between devices. WEP is in fact crackable especially in its weaker strengths. There are tools that exist that will allow you to capture traffic and analyze it, and run code against it to crack it. This doesn't mean its useless, 128 is pretty tough to crack, so use it! Don't leave it out. Ill put it to you like this, if you don't use WEP and leave your wireless system open and not 'closed' (where the SSID is broadcasted), then WEP may be your only chance at stopping penetration so make sure you use it.
Secure your SSID
The SSID is called the service set identifier (SSID for short) and it is a used for identification purposes within a WLAN. Data that is transmitted needs to have the proper SSID between the client and the Access Point so that both items are identifiable on the network. You can think of the SSID as a sort of password used between the devices so that acknowledgment can happen, and data can be transferred. In a sense, you can almost think of the SSID as the 'Workgroup" name used in Windows based operating systems - if that is an easier way for you to think of it and remember it. What is nice about SSID's is that you can divide your network up with them... and this is where the problems come in. Many administrators are not to well versed in Wireless Security (because the technology is sparsely used and fairly new on the market) so when you mention a tool like 'Netstumbler' to them, they may shrug their shoulders because they are not sure what that is. Netstumbler is the tool you can use to find open systems broadcasting their SSID's and with a little effort, your WLAN can be exploited. Your SSID's are best served by the following three rules:
- Change the Default SSID!
- Change the SSID at frequent intervals
- Make sure you are not running an Open System
- Do not use very easy or identifiable SSID's
Most SSID's are based on the vendor you purchase them from. In other words, if you bought a Linksys AP, your SSID will be Linksys. This is just way too easy to be exploited and to get and use against you (with tools like Netstumbler) so make sure you change the default SSID.
You can also make sure that you make a schedule at frequent intervals to change your SSID's as time progresses. This is also a very common item to securing your WLAN that is missed, forgotten or not considered at all.
Make certain that you are not running an open system. In a nutshell, remember that its important to not have the SSID broadcasting so a hacker can pick it up with freeware tools readily available on the Internet. Not doing this defeats your entire WLAN security infrastructure.
DO NOT under any circumstances use an easy to guess or exploit SSID scheme. Many Administrators may be interested in the KISS theory - Keep it Super Simple... and you may find an SSID list like this:
- Finance Department: SSID = 'Finance'
- MIS Department: SSID = 'MIS'
- Marketing Department: SSID = 'Marketing'
And so on... the point here is, this is unimaginably prone to guesstamation. You can do something like this instead:
- Finance Department: SSID = 'Finfloor1'
- MIS Department: SSID = 'MISfloor2'
- Marketing Department: SSID = 'Mrktfloor3'
This is just a simple scheme to prove a point, but nonetheless, you need to understand that with a closed system, the SSID is not broadcasted, therefore it cant be picked up with tools, its not easily guessed and best of all, its not the default SSID like 'Linksys' which is ridiculously easy to exploit because it's the vendor name to the product being used as an SSID. Don't think for one second that there isn't a list out there with all the default SSID's available and that this is 'not' used when engaging in a active penetration attack on your WLAN, thinking this will get you in trouble... Secure the SSID!
This should be very self-explanatory, but sometimes it is missed. When you have an interface either via a web browser, or command line, to not change the default password it completely insane. Everything you do to secure your Wireless network can be thwarted within seconds of leaving your default password on your devices. For example, most vendors use a blank password, the password of 'password' or their vendor name. This is bad, and it should be your first priority after rolling out any device. Change the password!
Change access point position
When you want to roll out a Wireless solution, you will need to see that its very important to have a site survey done. This goes beyond the scope of this article so I placed a link here for you to gather some info about why a site survey is 'critical' in a wireless deployment:
Make certain that when you do look at placement of devices within the site survey, you consider security as a main point of interest. It is very important that you plan the coverage to radiate to areas where coverage is needed, but not to radiate past that if possible in other words, if you only need 20 Feet of coverage, adjust your AP to only provide for 20 Feet of coverage. A nice little trick you can use is to place some aluminum behind the AP so that it can limit radiation out a window so that you do not have outsiders trying to Wardrive.
Re-Do a wireless site survey
There are many tools out there (Netstumbler is free), but other products from Cisco and other vendors that will allow you to find what is called 'Rogue Access Points". Basically, this is any AP or device that you do not know about or was installed without the MIS department's permission. Doing a site survey will help you find these rogue AP's.
Use MAC Filtering
AP's today will allow you to control access based on a MAC address. The MAC address is a physical address burned in to the Network Interface card on your system, an AP or any other device residing on your network. It is written in Hexadecimal format and looks like this:
This is unique to each device on the network and although duplicates do exist (from aging equipment that hasn't been replaced), it is pretty safe to say that every device's MAC is unique. Since they are unique, it makes it very easy to define with security. In other words, if you have 10 PC's on your network, you will have 10 unique MAC addresses. If you want, you can apply these MAC's in a filter in nearly all Wireless AP gear that exists today to filter out MAC's that shouldn't be accessing the AP. In other words, if you set up to allow only these 10 PCs then that is all that can participate on the network. Two possible issues exist:
- If you have a very large number of AP's, the management can get pretty scary
- ARP Spoofing (if an attacker can figure out what an allowed systems MAC is) is a possible active attack against the network that is commonly exploited.
All in all, if you have a smaller network, this is a good form of security, but if you have a large network, you may want to move into other forms of security like Radius and IPSec.
Use Radius or IPSec
In an enterprise setup of Wireless, you will need a security infrastructure that works with your deployment. This is critical because easy to use security measures will win over your heart quickly once you deploy. Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and software that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service. You can use RADIUS to maintain user profiles in a central database that all devices can share and use. This is much the same with WLAN configurations.
You can also use IPSec for more security. IPSec (Internet Protocol Security) is a protocol used for security at the network or packet-processing layer of network communication. In other words, if you are using IP, then you can use IP Security, or IPSec for short. It just adds another layer of security to your WLAN infrastructure. In any case, use these whenever you are able.
Other Security Options
This last section hosts many of the other items you can deploy or think about in regards to Wireless security:
If possible, always get Wireless devices that are upgradeable. Since this is such a new technology in the marketplace, changes and advancements are very rapid.
Watch your vendor closely. Make sure that you are on top of all the newest releases, patches, and security notes that are released from the vendor. In other words, if you were using Cisco Products, you may want to scan the Cisco Site for updates and release notes:
Use security other than WEP, when you can. In other words, there are many other forms of security you can implement, some of which were already mentioned in this same article. Other forms of security are:
The IEEE recognized WEP as very short on deliverable security so 802.1x and EAP because new defacto implementations of Wireless security. 802.1x itself is not the mainstay in Wireless security, but combining it with lets say EAP, will create a fantastic solution for you when applied correctly.
The 802.1X standard is designed to enhance the security of wireless local area networks (WLANs) that follow the IEEE 802.11 standard. 802.1X provides an authentication framework for wireless LANs, allowing a user to be authenticated by a central authority. 802.1X uses an existing protocol, the Extensible Authentication Protocol (RFC 2284) that works on Ethernet, token ring, or wireless LANs, for message exchange during the authentication process.
Make a concerted effort to really try and implement any (if not most of) these security features for Wireless Networking. You need not master every single technology explained here, look one up at a time and see if any of the listed Wireless Security ideas match your business needs. If so, then continue to read the other wireless security articles here on Windowsecurity.com and let us know what you think!