Securing Wireless Networks
Today defending business networks is largely based on protocols and technologies that support a wired infrastructure. However, the proliferation of mobile devices and wireless communication is introducing new security gaps that must be addressed. As the saying goes, security is only as good as your weakest link, and wireless systems are the weak links in today’s business infrastructure. Security practitioners need to better understand wireless technologies, protocols and standards, and develop a policy to address wireless security.
Wireless Network Standards
The IEEE has defined standards for wireless networks:
- 802.1x: Framework for stronger authentication for 802.11 wireless LANs (WLANs).
- 802.11a: Physical layer standard in the 5 GHz radio band. Maximum link rate is 54 Mbps per channel.
- 802.11b: Physical layer standard in the 2.4 GHz radio band. Maximum link rate is 11 Mbps per channel.
- 802.11d: Supplementary to MAC layer in 802.11. Supports use of 802.11 WLANs.
- 802.11e: Provides quality of service (QoS) and multimedia capability
- 802.11f: Defines the registration of access points within a network and the exchange of information between access points when a user is handed over from one access point to another.
- 802.11g: Physical-layer standard for WLANs in the 2.4 GHz and 5 GHz radio band. Maximum link rate is 54 Mbps per channel.
- 802.11h: Supplementary to MAC layer to comply with EU regulations for 5 GHz WLANs.
- 802.11i: Supplementary to MAC layer to improve security. Alternative to WEP with new encryption methods and authentication procedures.
- 802.16a: Extends the range of 802.11 to several miles. Provides enhanced security and supports high-quality phone calls.
- 802.20: Extends the range of 802.11 to several miles and is being designed to support high-speed links in vehicles exceeding 120 miles per hour.
Wireless Network Components
IEEE 802.11 wireless LANs include the following components:
- Wireless network interface card: PC, USB or PCI cards that interface between the client computer and the communications medium. It converts digital data to and from radio waves.
- Client system: Laptop, PDA or a desktop system.
- Communications medium: Consists of radio waves in the 2.4 GHz or 5 GHz radio frequency band. The frequency band is broken up into channels.
- Access point: Provides several channels to connect client systems to the wired LAN.
The IEEE 802.11 standard defines two specific operating modes: ad-hoc and infrastructure. In the ad-hoc mode, two or more client systems create a peer-to-peer network with each other’s wireless NICs through a mesh network, typically formed on a temporary basis. In the infrastructure mode, client systems connect to an access point, which is connected to the wired network. Before a client system can connect to an access point, the system must provide a Service Set Identifier (SSID), an alphanumeric code configured on both the wireless NIC and the access point.
Wireless Security Challenges
Lack of user authentication, weak encryption and poor network address management are some security challenges of wireless networks. For example, an access point can authenticate hardware based on MAC or IP addresses and not require user authentication. Further, while WEP may be used to encrypt wireless transmission, this encryption is not difficult for hackers to break. Hackers can also monitor transmissions to determine SSIDs, which are not encrypted. SSIDs provide information on the name and availability of a wireless network. Wireless networks are also vulnerable to attacks such as man-in-the-middle attacks, rogue access points, session hijacking and denial of service.
In a wireless infrastructure, the access point authenticates the client and authorizes the connection. An attacker can set up a rogue access point with the same SSID and a stronger signal. This rogue access point then “traps” all information from the client to the authorized access point, an example of a “man-in-the-middle” attack. The client does not know that communications are being received at the rogue access point.
In session hijacking, the attacker sends a “dissociation” message to the client and thus drops the client from the connection to the access point. The attacker then spoofs the access point with identification information of the client and continues the communication.
In a denial-of-service attack, the attacker emulates the access point and continuously sends de-authentication and disassociation messages to the client systems, so the clients cannot connect to the access point. The attacker can also jam radio signals by generating radio noise in the frequency range used, preventing clients and access points from communicating.
Wireless Security Protocols
Several standards and protocols have been defined to better secure wireless networks, including:
- Wired Equivalent Privacy (WEP): The standard 802.11 wireless security protocol for data encryption. It uses a key to encrypt wireless data transmitted through the radio waves. It supports a 40-bit key and a 128-bit key. Attackers have been able to compromise both WEP key lengths.
- IEEE 802.1x User Authentication: An IEEE standard that works with WEP to provide the framework for strong authentication. The IEEE 802.1x consists of three components: supplicant (the client system); authenticator (provides the physical port to the network); and authentication server (verifies user credentials and provides key management).
- Extensible Authentication Protocol (EAP): A protocol used by 802.1x components to allow users to authenticate to a central server. Once the server authenticates the client, keys are sent to both the authenticator and the supplicant.
- Lightweight Extensible Authentication Protocol (LEAP): Developed by Cisco; also referred to as the Cisco Wireless EAP.
- Wi-Fi Protected Access (WPA): The emerging standard in wireless security to address the weaknesses in the WEP algorithms. WPA addresses two areas of security: authentication and encryption. It combines the 802.1x authentication with a stronger encryption. The encryption is based on the IEEE 802.11i draft, referred to as the Temporal Key Integrity Protocol (TKIP). Note that the 802.11i draft also includes the specification, Counter Mode with CBC-MAC Protocol (CCMP). CCMP uses the Advanced Encryption Standard (AES), which provides strong encryption capability.
Getting Started: Wireless Security Policy
Security practitioners should first develop a policy for securing wireless devices and transmissions. The scope of this policy covers all wireless data communication devices connected to any of the organization’s networks. This includes any device capable of transmitting packet data.
The policy should include recommendations such as:
- Wireless implementations must maintain point-to-point hardware encryption of at least 128 bits.
- Wireless devices must maintain a hardware address that can be registered and tracked.
- Wireless devices must support strong user authentication that checks against an external database such as TACACS+, RADIUS or something similar.
- Laptop/PDA users must select strong passwords and must have anti-virus software installed with automatic updates.
- Screen savers must be activated after two to three minutes of idle time.
- Encryption must be used to store sensitive information on laptops.
Sensitive and confidential information transmitted over wireless networks typically is not encrypted and lacks proper authentication. A vulnerable wireless infrastru