Before you uncrate one piece of network equipment for a mass deployment, you need to have the right design in place. Good network design is often the difference between a successful rollout and a torrent of user complaints.
Many organizations are now considering deployment of wireless LANs and are working on the basic network designs before going to pilot projects. As always, network security is a concern. The problems with security on 802.11 networks have been widely reported elsewhere. Network architects are now faced with the challenge of designing secure networks in light of the known problems. This article will discuss seven of the most pressing wireless LAN security problems and potential designs that can mitigate the risk associated with each of them.
Wireless LANs are easy to find. Strictly speaking, this is not a security threat. All wireless networks need to announce their existence so potential clients can link up and use the services provided by the network. 802.11 requires that networks periodically announce their existence to the world with special frames called Beacons.
However, the information needed to join a network is also the information needed to launch an attack on a network. Beacon frames are not processed by any privacy functions, which means that your 802.11 network and its parameters are available for anybody with an 802.11 card. "War drivers" have used high-gain antennas and software to log the appearance of Beacon frames and associate them with a geographic location using GPS.
Short of moving into heavily-shielded office space that does not allow RF signals to escape, there is no solution for this problem. The best you can do is to mitigate the risk by using strong access control and encryption solutions to prevent a wireless network from being used as an easy entry point into the network. Deploy access points outside firewalls, and protect sensitive traffic with VPNs.
Easy access to wireless LANs is coupled with easy deployment. When combined, these two characteristics can cause headaches for network administrators. Any user can run to a nearby computer store, purchase an access point, and connect it to the corporate network without authorization. Many access points are now priced well within the signing authority of even the most junior managers. Departments may also be able to roll out their own wireless LANs without authorization from the powers that be.
"Rogue" access points deployed by end users pose great security risks. End users are not security experts, and may not be aware of the risks posed by wireless LANs. Most existing small deployments mapped by war drivers do not enable the security features on products, and many access points have had only minimal changes made to the default settings. It is hard to believe that end users within a large corporation will do much better.
Unfortunately, no good solution exists to this concern. Tools like NetStumbler allow network administrators to wander their building looking for unauthorized access points, but it is expensive to devote time to wandering the building looking for new access points.
Monitoring tools will also pick up other access points in the area, which may be a concern if you are sharing a building or a floor with another organization. Their access points may cover part of your floor space, but their access points do not directly compromise your network and are not cause for alarm. The periodic "walk-through" of your campus is the only way to address the threat of unauthorized deployment. At least network analyzers are moving to a handheld form, so you won't have to carry as much.
Several war drivers have published results indicating that a clear majority of access points are put in service with only minimal modifications to their default configuration. Nearly all of the access points running with default configurations have not activated WEP (Wired Equivalent Privacy) or have a default key used by all the vendor's products out of the box. Without WEP, network access is usually there for the taking.
Two problems can result from such open access. In addition to bandwidth charges for unauthorized use, legal problems may result. Unauthorized users may not necessarily obey your service provider's terms of service, and it may take only one spammer to cause your ISP to revoke your connectivity.
Whether unauthorized use is a problem depends on the objectives of the service. For corporate users extending wired networks, access to wireless networks must be as tightly controlled as for the existing wired network. Strong authentication is a must before access is granted to the network.
If you have deployed a VPN to protect the network from wireless clients, it probably has strong authentication capabilities already built-in. Administrators can also choose to use 802.1x to protect the network from unauthorized users at the logical point of attachment. 802.1x also allows administrators to select an authentication method based on Transport Layer Security (TLS), which can be used to ensure that users attach only to authorized access points.
Not all networks, however, need to deploy ironclad user authentication. Theft of service was a major concern for connectivity providers in "hot spots" such as hotels and airports. After all, the business model was to charge for network access, so preventing unauthorized access was a business requirement. In the wake of the spectacular failure of some of the former big-name players like MobileStar, the hot-spot connectivity industry is experimenting with new business models.
Newer players in the market have based the business model on the idea that free wireless network access is an amenity that might draw guests and convention business. In this newer business model, user authentication is necessary only to ensure accountability. Authentication using a Web browser is a perfectly acceptable solution because it allows sessions to be identified and does not require specialized client software or a certain model of 802.11 network interface.
Wireless LANs have limited transmission capacity. Networks based on 802.11b have a bit rate of 11 Mbps, and networks based on the newer 802.11a technology have bit rates up to 54 Mbps. This capacity is shared between all the users associated with an access point. Due to MAC-layer overhead, the actual effective throughput tops out at roughly half of the nominal bit rate. It is not hard to imagine how local area applications might overwhelm such limited capacity, or how an attacker might launch a denial of service attack on the limited resources.
Radio capacity can be overwhelmed in several ways. It can be swamped by traffic coming in from the wired network at a rate greater than the radio channel can handle. If an attacker were to launch a ping flood from a Fast Ethernet segment, it could easily overwhelm the capacity of an access point. Depending on the deployment scenario, it might even be possible to overwhelm several access points by using a broadcast address as the destination of the ping flood.
Attackers could also inject traffic into the radio network without being attached to a wireless access point. The 802.11 MAC is designed to allow multiple networks to share the same space and radio channel. Attackers wishing to take out the wireless network could send their own traffic on the same radio channel, and the target network would accommodate the new traffic as best it could using the CSMA/CA mechanisms in the standard.
Large traffic loads need not be maliciously generated, either, as any network engineer can tell you. Large file transfers or complex client/server systems may transfer large amounts of data over the network to assist users with their jobs. If enough users start pulling vast tracts of data through the same access point, network access may resemble sucking molasses through a straw north of the Arctic Circle in January.
Addressing performance problems starts with monitoring and discovering them. Many access points will report statistics via SNMP, but not with the level of detail required to make sense of end-user performance complaints. Wireless network analyzers can report on the signal quality and network health at a single location, but tools designed for wireless network administrators are only beginning to emerge.
The initial commercial wireless analyzer offerings were straightforward ports of their wired cousins; new products such as AirMagnet's handheld analyzer look like extremely promising additions to the wireless network engineer's toolkit. No enterprise-class wireless network management system has yet emerged. Some performance complaints could be addressed by deploying a traffic shaper at the point at which a wireless LAN connects to your network backbone. While this will not defend against denial of service attacks, it may help prevent heavy users from monopolizing the radio resources in an area.
802.11 networks do not authenticate frames. Every frame has a source address, but there is no guarantee that the station sending the frame actually put the frame "in the air." Just as on traditional Ethernet networks, there is no protection against forgery of frame source addresses.
Attackers can use spoofed frames to redirect traffic and corrupt ARP tables. At a much simpler level, attackers can observe the MAC addresses of stations in use on the network and adopt those addresses for malicious transmissions.
To prevent this class of attacks, user authentication mechanisms are being developed for 802.11 networks. By requiring authentication by potential users, unauthorized users can be kept from accessing the network. (Denial of service attacks will still be possible, though, because nothing can keep attackers from having access to the radio layer.)
The basis for the user authentication mechanism is the 802.1x standard ratified in June 2001. 802.1x can be used to require user authentication before accessing the network, but additional features are necessary to provide all of the key management functionality wireless networks require. The additional features are currently being ironed out by Task Group I for eventual ratification as 802.11i.
Attackers can use spoofed frames in active attacks as well. In addition to hijacking sessions, attackers can exploit the lack of authentication of access points. Access points are identified by their broadcasts of Beacon frames. Any station that claims to be an access point and broadcasts the right service set identifier (SSID, also commonly called a network name) will appear to be part of an authorized network.
Attackers can, however, easily pretend to be an access point because nothing in 802.11 requires an access point to prove it really is an access point. At that point, the attacker could potentially steal credentials and use them to gain access to the network through a man-in-the-middle (MITM) attack.
Fortunately, protocols that support mutual authentication are possible with 802.1x. Using methods based on TLS, access points will need to prove their identity before clients provide authentication credentials, and credentials are protected by strong cryptography for transmission over the air.
Session hijacking will not be completely solved until the 802.11 MAC adopts per-frame authentication. Until that point, if session hijacking is a concern, you must deploy a cryptographic protocol on top of 802.11 to protect against hijacking.
802.11 provides no protection against attacks that passively observe traffic. The main risk is that 802.11 does not provide a way to secure data in transit against eavesdropping. Frame headers are always "in the clear" and are visible to anybody with a wireless network analyzer. Security against eavesdropping was supposed to be provided by the much-maligned Wired Equivalent Privacy specification.
A great deal has been written about the flaws in WEP. It protects only the initial association with the network and user data frames. Management and control frames are not encrypted or authenticated by WEP, leaving an attacker wide latitude to disrupt transmissions with spoofed frames.
Early WEP implementations are vulnerable to cracking by tools such as AirSnort and WEPCrack, but the latest firmware releases from most vendors eliminate all known attacks. The latest products go one step farther and use key management protocols to change the WEP key every 15 minutes. Even the busiest wireless LAN does not generate enough data for known attacks to recover the key in 15 minutes.
Whether you rely on WEP solely, or layer stronger cryptographic solutions on top of it is largely a question of risk management. The latest product releases have no known vulnerabilities. While that is some comfort, the same claim could have been made in July 2001 before release of the current generation of WEP-cracking tools. If your wireless LAN is being used for sensitive data, WEP may very well be insufficient for your needs. Strong cryptographic solutions like SSH, SSL, and IPSec were designed to transmit data securely over public channels and have proven resistant to attack over many years, and will almost certainly provide a higher level of security.
Previously in the Series
Once an attacker gains access to a wireless network, it can serve as a launch point for attacks on other systems. Many networks have a hard outer shell composed of perimeter security devices that are carefully configured and meticulously monitored. Inside the shell, though, is a soft, vulnerable (and tasty?) center.
Wireless LANs can be deployed quickly if they are directly connected to the vulnerable backbone, but that exposes the network to attack. Depending on the perimeter security in place, it may also expose other networks to attack, and you can bet that you will be quite unpopular if your network is used as a launch pad for attacks on the rest of the world. The solution is straightforward in theory: treat the wireless network as something outside the security perimeter, but with special access to the inside of the network. Although security diligence is time consuming, so is being sued.
Although wireless LAN security can seem challenging because of the press it has generated, most of the challenges can be addressed by reasonable security precautions. Network designs will, of course, continue to be affected by the development of new technologies and user demands.
The next wave of wireless LANs is likely to be driven by mobility. 802.11 provides link-layer mobility. Users can move transparently within an IP subnet with no effect on their applications or connection. Once you leave the cozy confines of a single network segment, though, all bets are off. For now, I'll leave mobility to the realm of new technology that is just over the horizon, as well as the network engineers who will need to make sense of it when it arrives.
Matthew Gast is the director of product management at Aerohive Networks responsible for the software that powers Aerohive's networking devices.
O'Reilly & Associates published 802.11 Wireless Networks: The Definitive Guide by Matthew Gast in April, 2002.
You can also look at the Full Description of the book.
For more information, or to order the book, click here.
Return to the Wireless DevCenter.
Copyright © 2009 O'Reilly Media, Inc.