The network administrator must be aware of the security issues when configuring an 802.11 wireless LAN. The fact is, radio frequencies will pass through walls, ceilings, and floors of a building even with low signal power. Therefore, the assumption should never be made that the wireless data is confined to only the user’s area. The network administrator must assume that the wireless data can be received by an unintended user. In other words, the use of an unsecured wireless LAN is opening a potential threat to network security.
In fact, a threat to wireless devices includes war driving. War driving is a term that applies to driving with an antenna out the door connected to a mobile device running Windows or Linux. A wireless card in a PC and a software application are used to detect management packets that come from the wireless access points. Some access points allow the management packets to be turned off. All 11 channels must be cycled through to check for data (management packets). The software can also determine if wireless security is turned on, the type of access points, and so on. If wireless security is not enabled, the attacker can attempt to break into the network. If the wireless security features are not enabled, the packets that come from the access points can be viewed.
Wireless Security Protection
To address this threat to WLAN security, the network administrator must ensure that the WLAN is protected by firewalls and intrusion detection, and most importantly the network administrator must make sure that the wireless security features are enabled. This might seem to be a bold statement, but surprisingly enough, many WLANs are placed on a network without turning on available wireless security features. Many times the user in the WLAN assumes that no one would break into her computer because nothing important exists on the system. This may be true, but to an attacker, the user has one very important item—access to the wired network through an unsecured client.
SSID for Authentication
WLANs use an SSID (service set identifier) to authenticate users, but the problem is that the SSID is broadcast in radio link beacons about 10 times per second. In WLAN equipment, the beacons are transmitted so that a wireless user can identify an access point to connect to. The SSID can be turned off so it isn’t transmitted with a beacon, but it is still possible for the SSID to be obtained by packet sniffing. As noted previously, packet sniffing is a technique used to scan through unencrypted data packets to extract information. In this case, an attacker uses packet sniffing to extract the SSID from data packets. Disabling SSID broadcasting will make it so that most client devices (such as Windows PCs and laptops) won’t notice that the wireless LAN is present. This at least keeps “casual snoopers” off the network. Enterprise-grade access points implement multiple SSIDs, with each configured SSID having its own VLAN and wireless configuration. This allows the deployment of a common wireless LAN infrastructure that supports multiple levels of security, which is important for some venues such as airports and hospitals (where there are both public and private users).
Open and Sharekey Authentication
IEEE 802.11 supports two ways to authenticate clients: open and sharekey. Open authentication basically means that the correct SSID is being used. In sharekey authentication, a packet of text is sent by the access point to the client with the instruction to encrypt the text and return it to the access point. This requires that wired equivalent privacy (WEP) be turned on. WEP is used to encrypt and decrypt wireless data packets. The exchange and the return of the encrypted text verifies that the client has the proper WEP key and is authorized to be a member of the wireless network. It is important to note that shared key authentication is extremely vulnerable. As a result, it’s standard practice to avoid the use of shared key authentication.
There is some concern that WEP isn’t a strong enough encryption to secure a wireless network. There is published information about WEP vulnerabilities, but even with this, WEP does provide some basic security and is certainly better than operating the network with no security.
WPA and WPA2
An improvement with wireless security is provided with WPA and WPA2. WPA stands for Wi-Fi Protected Access, and it supports the user authentication provided by 802.1x and replaces WEP as the primary way for securing wireless transfers. WPA2 is an improved version of WPA. The 802.1x standard enhances wireless security by incorporating authentication of the user. Cisco Systems uses an 802.1x authentication system called LEAP. In Cisco LEAP, the user must enter a password to access the network. This means that if the wireless client is being used by an unauthorized user, the password requirement will keep the unauthorized user out of the network.
EAP and RADIUS
WPA is considered to be a higher level of security for wireless systems. In the 802.1x system, a user requests access to the wireless network via an access point. The next step is for the user to be authenticated. At this point, the user can only send EAP messages. EAP is the Extensible Authentication Protocol and is used in both WPA and WPA2 by the client computer and the access point. The access point sends an EAP message requesting the user’s identity. The user (client computer) returns the identity information that is sent by the access point to an authentication server. The server will then accept or reject the user’s request to join the network. If the client is authorized, the access point will change the user’s (client’s) state to authorized. A Remote Authentication Dial-In User Service (RADIUS) service is sometimes used to provide authentication. This type of authentication helps prevent unauthorized users from connecting to the network. Additionally, this authentication helps to keep authorized users from connecting to rogue or unauthorized access points.
Virtual Private Networks
Another way to further protect data transmitted over a WLAN is to establish a VPN connection. In this way, the data is protected from an attacker.
Basic Guidelines for Wireless Security
The following are basic guidelines for wireless security:
- Make sure the wireless security features are turned on.
- Use firewalls and intrusion detection on your WLAN.
- Improve authentication of the WLAN by incorporating 802.1x features.
- Consider using third-party end-to-end encryption software to protect the data that might be intercepted by an unauthorized user.
- Whenever possible, use encrypted services such as SSH and Secure FTP.
The bottom line is that the choice of the level of security will be based on multiple factors within the network. For example, what is the cost benefit ratio of increased security? How will incorporating or not incorporating increased wireless security affect users? The network administrator and the overall management will have to make the final decision regarding wireless security before it is installed and the network becomes operational.
Published on Sun 20 January 2013 by Dave Hellman in Security with tag(s): security wireless lans