Managing Security Risks in a Wireless World
 

Managing Security Risks in a Wireless World

Mano Paul

May 2008

Wireless networks are extremely prevalent today, both at home and in work settings. This increased adoption of wireless networks can be attributed to lower cost and ease of installation, combined with benefits such as increased portability and productivity.

Setting up wireless networks generally does not require drilling holes or cabling. All you need to do to connect is plug in a wireless access point (AP) or router. The lack of cabling expands a network to one without a physical boundary and allows an end-user to be portable and productive from anywhere within the wireless network range.

This open connectivity brings with it risks, however, some of which are similar to those in wired networks, while others are unique and increased on wireless networks. Poor security standards, coupled with immature technologies, flawed implementations and limited user awareness, make it difficult to design and deploy "secure" wireless networks. All the vulnerabilities of wired networks exist in wireless networks as well. The most noteworthy is the openness of the communication medium (airwaves). This is akin to storing valuables in a glass safe.

Wireless security threats include confidentiality, integrity and availability (CIA) of resources and information. Organizations have information to protect. This information can be financial, personal and intellectual, all of which can be sensitive. Unauthorized intruders can intercept and gain access, disclosing sensitive information (confidentiality breach) if encryption and other protective mechanisms between wireless devices are weak or vulnerable.

Disclosed information can be altered (integrity breach) intentionally by the intruder or unintentionally due to malfunction in data-synchronization routines between the wireless clients and the back-end storage. Intruders can launch attacks against wireless devices in the network and consume network bandwidth causing Denial of Service (DoS) attacks (availability breach), as well.

Know Your Enemy

Sixth-century Chinese general and master military strategist Sun Tzu, in his book Art of War, wrote: "Know your enemy and know yourself, find naught in fear for 100 battles."

Enemies and threat agents that exploit wireless security vulnerabilities can be grouped into three major categories:

Script kiddies ($cr1p7k1dd13s): These enemies are motivated primarily by the thrill of electronically trespassing and are deterred quite easily by simple security measures. They usually are unaware of the consequences of breach and use tools and scripts readily available to gain access to networks on which they are not authorized. They are the least of the threats and are also referred to as "war dialers."

Resource thieves: They consume resources such as bandwidth and disk space, downloading pirated movies, MP3 and pornography using stolen airwaves and networks. They, like script kiddies, are motivated by thrill of freeloading and the need to be untraced. They are capable of writing scripts to exploit vulnerabilities, but often look for easily exploitable vulnerabilities and don't pose a significantly greater threat than script kiddies.

Information thieves: They know exactly what they want (sensitive information), know how to get it, know how to hide their footprints and are capable of harm. They are not easily deterred and often go the extra mile in figuring out the network topology to gain access to the network.

The 5 W's of Wireless Networks

With the understanding of the risks and threat agents associated with wireless networks, important questions one must answer before designing and implementing secure wireless networks are:

  • Why do you need to set up a wireless network? Ease of access (flexibility), unrestricted workspace (portability and productivity).
  • Where are you setting up the wireless network? Home, work, public location.
  • Who will be using your wireless networks? Internal employees, vendors, customers, general public. 
  • What is it that you need to safeguard? Customer information, financial information, intellectual property, trade secrets.
  • When should you setup a wireless network? The right time to setup a wireless network is when you can acceptably manage and mitigate risks.

Bare Necessities

At a bare minimum, the following should be in place to thwart intruders in wireless networks:

Change all default settings. Most wireless devices (routers and APs) come with weak default configurations. Blank admin passwords or "admin/admin" username password combinations are classic examples. Due to flawed implementation and limited user awareness and education on the implications of deployment of these wireless devices with default configurations, many wireless networks are susceptible to security threats.

Select products that can support more secure technologies. For backward compatibilities, if you are required to support weaker security technologies like Wired Equivalent Privacy (WEP) instead of Wi-Fi Protected Access (WPA and WPA2), do so only after doing a risk analysis and developing a plan to phase them out with products that can support more secure technologies. E.g., more secure technologies are WPA and client AP isolations in which the client devices on your wireless network cannot see one another.

Educate, train and certify users and employees. This is the most proactive approach to implementing security in wireless networks. There is no greater defense than educated and trained personnel making wise decisions pertinent to wireless security.

Get employees certified in wireless security. The Certified Information Systems Security Professional (CISSP) credential by (ISC)2 is a Gold Standard certification that covers wireless security concepts. Another good vendor-neutral certification is the Certified Wireless Security Professional (CWSP) by CWNP.

Placebo Wireless Security

Some of the most common wireless security measures are myths and give a false sense of security. These include:

SSID cloaking: The Service Set Identifier (SSID) in a wireless AP is the name configured to be broadcast to client devices (laptop, PDAs) so that they can associate with the AP. In SSID cloaking, the SSID is not broadcast by the AP, but is distributed by out-of-band mechanisms beforehand to the wireless network users. Most organizations use SSID cloaking as a security measure. Although this is a recommended best-practice by the PCI Data Security Standard (PCI DSS), it provides little to no protection because every time a client associates with an AP, the SSID is present in clear text, and a man-in-the-middle (MITM) attack can deduce the SSID, allowing an intruder to easily bypass any intended security mechanism.

MAC address filtering: Every network device has a unique machine access code (MAC). Allowing access to your wireless networks based on MAC addresses is akin to having a bouncer with a valid set of names to allow into the party. With a plethora of MAC spoofing tools, coupled with the MAC address being sent in the header of every packet, MAC address filtering easily can be defeated.

Disabling DHCP: Dynamic Host Configuration Protocol (DHCP) provides the automatic assignment of Internet Protocol (IP) addresses for the clients associating with the wireless network. Disabling DHCP has little to no security value, as it would take a determined intruder fewer than 10 minutes to determine the IP assignment scheme and bypass security controls.

The Real Deal

Now that we are aware of how not to secure a wireless network, how should we?

Start with physical access control. Walls and physical boundaries provide little to no protection against wireless security threats. Nevertheless, it is imperative that wireless security measures are supplemented with physical security controls such as gated access, motion detectors, closed-circuit televisions (CCTV) and perimeter guards. This can considerably reduce the risk of intruders, such as parking-lot squatters who eavesdrop on your networks, besides preventing theft of APs, resetting APs to default insecure configurations and setting up of rogue APs (evil twins).

Use mutual authentication. In mutual authentication, the client devices authenticate with the network, and at the same time, the network authenticates with the client using an authentication key in the AP or by digital certificates. This mitigates the evil twin problem in which an intruder sets up a rogue AP with powerful antennae, configured with your SSID. Clients associate with this access point because of the powerful antennae, and any cleartext traffic, unprotected by Transport Layer Security (TLS) or Secure Sockets Layer (SSL) is viewable by the intruder. Mutual authentication will require that the evil twin rogue AP authenticate with the network, as well, and without the authentication mechanisms available on the evil twin, the intruder's attack and intentions are thwarted. Dynamic WEP and WPA/WPA2 provide mutual authentication.

Use encryption to protect confidentiality and integrity of data. Physical security and authentication access control will not suffice in protecting the data transmitted on your wireless network. Encryption, the mechanism by which humanly readable text (cleartext or plaintext) is converted into humanly unreadable (ciphertext) is one of the best defenses against data-disclosure and modification attacks.

There are many wireless encryption protocols to choose from - each with pros and cons - and an understanding of each will help you set up your wireless network securely. The two major types of wireless encryption technologies are: Wired Equivalent Privacy (WEP) - Static and Dynamic, and Wi-Fi Protected Access (WPA) - WPA and WPA2.

WEP is the most basic form of wireless encryption. It comes in two flavors, Static WEP and Dynamic WEP. Static WEP is the traditional standard that requires a hexadecimal key to be configured on the AP, and a client will use that key to authenticate with the AP. WEP uses the RC4 algorithm, and its implementation has been demonstrated to be easily cracked within minutes in most cases. It is recommended to avoid this, but if you can't due to compatibility reasons, consider using Dynamic WEP.

Dynamic WEP is more secure than Static WEP, as it uses the Extensible Authentication Protocol (EAP), along with 802.1X protocol for user authentication. Additionally, the key is rotated frequently making it more difficult to crack.

Following WEP came WPA, which is more secure than WEP, Static or Dynamic. It uses the Temporal Key Integrity Protocol (TKIP) that provides each associated client with a unique key. This provides for data confidentiality and integrity. It can be used with (WPA-Enterprise) or without (WPA-Personal) a Remote Dial-In User Authentication Service (RADIUS) server. When it is not used with a RADIUS server, it uses a pre-shared authentication key.

Today, WPA2 is the more secure wireless encryption technology. It uses the National Institute of Standards and Technologies (NIST) recommended Advanced Encryption Standard (AES) as its encryption algorithm provides a higher degree of confidentiality and integrity protection. It is far more difficult to crack and can be used in personal and enterprise mode.

Being Unwired, Yet Secure

Configuring and maintaining securely is critically important to keep electronic trespassers and eavesdroppers away from your wireless networks and sensitive data. The following are best practices and standards recommended for wireless security:

  • Develop a wireless security policy.
  • Periodically assess risks of your wireless networks.
  • Periodically test and evaluate your wireless security controls.
  • Develop a secure wireless architecture that is consistent with your policy.
  • Develop your wireless security plans, factoring in performance, usability and risks supporting your architecture and policy.
  • Maintain a secure wireless network on an ongoing basis.

About the Author

Mano Paul, CISSP, MCAD, MCSD, Network+, ECSA, LPT is a founder and president of Express Certifications, a professional training and certification company. He has been featured in various domestic and international security conferences and contributed to and published various security articles. He can be reached at editor@certmag.com.

This article reprinted courtesy of www.certmag.com