Wireless LAN Security Overview
As new deployments of Wireless LANs proliferate, security flaws are being identified and new techniques to exploit them are freely available over the Internet.
Sophisticated hackers use long-range antennas that are either commercially available or built easily with cans or cylinders found in a kitchen cupboard and can pick up 802.11b signals from up to 2,000 feet away. The intruders can be in the parking lot or completely out of site. Simply monitoring the adjacent parking lots for suspicious activity is far from solving the security issues around WLANs.
Many manufacturers ship APs with WEP disabled by default and are never changed before deployment. In an article by Kevin Poulsen titled "War driving by the Bay", he and Peter Shipley drove through San Francisco rush hour traffic and with an external antenna attached to their car and some custom sniffing software, and within an hour discovered close to eighty (80) wide open networks. Some of the APs even beacon the company name into the airwaves as the SSID.
a. Authentication and Encryption
Since the security provided by WEP alone including the new 802.1x Port Based IEEE standard is extremely vulnerable, stronger authentication and encryption methods should be deployed such as
Wireless VPNs using Remote Authentication Dial-In User Service
The VPN layer employs strong authentication and encryption mechanisms between the wireless access points and the network, but do impact performance, a VPN (IPSec) client over a wireless connection could degrade performance up to 25%. RADIUS systems are used to manage authentication, accounting and access to network resources.
While VPNs are being represented as a secure solution for wireless LANs, one-way authentication VPNs are still vulnerable to exploitation. In large organizations that deploy dial-up VPNs by distributing client software to the masses, incorrect configurations can make VPNs more vulnerable to "session hi-jacking". There are a number of known attacks to one-way authentication VPNs and RADIUS systems behind them that can be exploited by attackers. Mutual authentication wireless VPNs offer strong authentication and overcome weaknesses in WEP.
b. Attacking Wireless LANs
With the popularity of Wireless LANs growing, so is the popularity of hacking them. It is important to realize that new attacks are being developed based on old wired network methods. Strategies that worked on securing wired resources before deploying APs need to be reviewed to address new vulnerabilities.
These attacks provide the ability to:
Monitor and manipulate traffic between two wired hosts behind a firewall Monitor and manipulate traffic between a wired host and a wireless host Compromise roaming wireless clients attached to different Access Points
Monitor and manipulate traffic between two wireless clients
Below are some known attacks to wireless LANs that can be applied to
VPNs and RADIUS systems:
Session hijacking can be accomplished by monitoring a valid wireless station successfully complete authenticating to the network with a protocol analyzer. Then the attacker will send a spoofed disassociate message from the AP causing the wireless station to disconnect. When WEP is not used the attacker has use of the connection until the next time out Session hijacking can occur due to vulnerabilities in 802.11 and 802.1x state machines. The wireless station and AP are not synchronized allowing the attacker to disassociate the wireless station while the AP is unaware that the original wireless station is not connected.
Wireless LAN deployments should be made as secure as possible. Standard 802.11 security is weak and vulnerable to numerous network attacks. This paper has highlighted these vulnerabilities and described how it can be solved to create secure wireless LANs.
Some security enhancement features might not be deployable in some situations because of device limitations such as application specific devices (ASDs such as 802.11 phones capable of static WEP only) or mixed vendor environments. In such cases, it isimportant that the network administrator understand the potential WLAN security vulnerabilities