copyright notice
accesses since January 4, 2007

Better-than-Nothing Security Practices™

For Securing Wireless

v 0.0.3

Hal Berghel

Jacob Uecker

Introduction

This document outlines a number of steps that can be taken to secure wireless networks. Wireless networking is quickly becoming one of the most vulnerable, unsecured and popular forms of networking. The ability to communicate on the Internet without the tether of wires is extremely attractive. It allows one to wander anywhere within the wireless network bubble with their 802.11 device where they used to be confined to their stationary desktop plugged into their network cable. Networks can be setup to include voice-over-IP (VoIP) phones and wireless PDAs. The world of networking is exploding with the possibilities provided by the cheap equipment and inherent medium used by 802.11x networking. Unfortunately this accessibility is not without cost. The cost is measured in terms of vulnerability to attack from malicious hackers who can exploit the intrinsic wireless protocol problems to get at sensitive data or even compromise computer hardware to the point of total control. While total security of any network is a near impossibility, there are a number of steps to ensure a wireless network will be less likely to be hacked with respect to the neighbors' unsecured network. While this is a somewhat selfish philosophy, this tactic will channel intruders toward the easier to compromise network.

First, word or two about how to use this document. New wireless devices are being created daily and each one with different capabilities and features. This makes it extremely difficult to provide a step-by-step guide to configuring a wireless network with all equipment out there. Instead we have taken the approach of giving directions from a number of common appliances where the general configuration scheme can be taken from. We also provide the steps to configure a Windows computer to connect to these devices. So to effectively use the documentation that we've provided, it is probably going to have to be adapted to your specific networking equipment. The specifics of where to click and how to access each setting is left to you, the reader and the documentation provided with your device.

If you have any suggestions or comments please let us know.

Copyright © 2003 by Hal Berghel and Jacob Uecker. All Rights Reserved.


Table of Contents

  1. Encryption
  2. Authentication
  3. Signal Strength and RF
  4. Firewalls, ACLs, and Web Management
  5. SSID
  6. Client Side Protections
  7. VPNs
  8. Logging
  9. MITM Protections
  10. Network Design

1. Encryption

Encryption is one of the most important aspects to wireless security. Encryption tries to protect the confidentiality of the information that is being transmitted over the airwaves by making the information unreadable to everyone by the intended recipient. Since it is possible for anyone with a receiver tuned to the right frequency can recover the data being transferred (wireless data frames), this confidentiality of information is critical. To preserve this information, a strong encryption technique must be used. Notice the emphasis on strong. It is possible to encrypt data in ways that are not very hard for a hacker to recover. In the world of wireless networking, a somewhat early and weak encryption mechanism was called WEP (Wired Equivalent Privacy). Initially, WEP was used as a way to encrypt wireless data. Users would input a secret key of a specific length on the client computer (like the laptop) and the networking device (like the wireless router). These keys would have to be exactly the same to allow access on the network. WEP provided encryption of data as well as a weak authentication mechanism. Authentication is the process of deciding who is allowed on the network and who is not. In requiring that someone know the key that must be entered for encryption, authentication has been introduced. Unfortunately, as mentioned, WEP is weak. Since its creation, it has since been completely compromised. In fact, WEP does very little to protect data.

What is current in the world of wireless security is always changing. This is partially due to the newness of wireless technology. As the demand for the better, faster and more secure increases, products will be developed and marketed to meet the demand. With that in mind, the Better-Than-Nothing recommendation is reflective of the current technology.

Recommendation: Use WPA-AES as an encryption policy

Currently WPA (Wi-Fi Protected Access) that uses AES is the most effective way to encrypt wireless frames. In English? WPA-AES is another encryption technique that has been created to help safeguard data as it is sent over the air. Use it. So far, it's the strongest thing that's commonly supported on wireless networking devices. Some of the older equipment out there won't support it, but if you're serious about security then run, don't walk, to your nearest computer electronic store and upgrade. The reason is really simple. Imagine a hacker was sitting in an apartment complex with the intention of hijacking someone's wireless network to, say, get free Internet access. If they were presented with a network encrypted with WEP-AES, WEP and an open network, the open network would be the first to go. The WEP network wouldn't be too far behind due to its flawed design. WPA-AES would definitely be the last and most difficult to break into. That isn't to say that it is impossible and that if you run a wireless network with strong encryption, you can't be hacked. That's a little like saying that if you install high quality locks on the doors and windows of your house, it can't be broken into. One simply doesn't follow from the other. But it is more likely that a burglar would rob your neighbor's house with unlocked windows and screen doors.

Certainly WPA-AES isn't the only form of wireless encryption out there. Another form of WPA that can be used is called TKIP. Soon after the vulnerabilities in WEP were discovered, it became very apparent that a substitute had to be found. While stronger security had been the primary thrust of 802.11i (another wireless networking standard), the world was in desperate need of a stronger encryption option before the standard could be passed. To this end, TKIP was released in 2003 which works as a kind of shell that fits around the flawed WEP package to improve security. It worked with a firmware upgrade rather than new hardware (which is required with stronger encryption). Unfortunately, it too has its problems, albeit not nearly as serious as with vanilla WEP.

There are also two different ways that WPA (either TKIP or AES) can be used. The more common way of using WPA is pre-shared key (PSK). This means that the same key (or password) is placed in the both the client and access point. When these passwords match, a connection can be established. This can lead to a number of problems dealing with scalability. For instance, on a network where there are a significant number of clients, the key will have to be placed on each of the client computers. Typical security policies dictate that if one of the clients leaves the network (and won't be returning), the key should be changed. This is due to the ease in which the key can be recovered and distributed thereby undermining the security of the network. This can get to be quite a cumbersome task which grows exponentially with the number of client computers. On the other hand it doesn't require the use of an authentication server, such as a RADIUS server that we'll discuss later, which is something that the non-PSK encryption methods require. This is generally the best option to use for most SOHO environments because the number of clients is low and the environment is relatively static.

Recommendation: Change the encryption key monthly

Regular key rotation is important to any password centric security policy. It helps to keep the passwords (or key) unknown to the attackers. Of course there are a few lemmas that go hand-in-hand with this recommendation. When a key is changed often, people have a tendency to keep a copy of the key written down in an easily accessible location. Fight this urge because it circumvents all the security put in place on the network to keep people out. Another aspect to this rule is don't cycle through the same passphrases over and over. Once a password is used, it should be thrown out, never to be used again. This is again something that's going to have to take some gumption to resist, but it is well work the added security. Incidentally, these are rules that should be followed for any setting where keys and passwords are used. In some wireless networking devices such as access points and wireless routers, users can input up to four different keys and pick which one is active. This really isn't an advantage because it promotes rotation of the same key over and over. A strong password or key policy does not support key repetition.

Briefly mentioned above, TKIP, is based on a different model than AES and is more vulnerable to attack (although less so than WEP). There are a number of utilities that can find the key of WPA-PSK using TKIP. Essentially what happens is a hacker will listen to the conversation that takes place between the wireless router or access point and the client computer. Before the client is allowed to join the network, a handshaking process takes place which creates the key used to authenticate and encrypt traffic on the network. An attacker can listen to this conversation and based on the traffic, recreate the original passphrase that the victim chose. While this attack relies on a dictionary of possible keys which contains the actual key, it can prove less than ideal when other options are available. There are a number of wireless access points that only support WPA TKIP and not AES. Some older access points and wireless routers do not have the hardware that can support AES encryption. In these systems, a reasonable amount of security can be achieved by choosing a long passphrase. The passphrase should have upper and lower case characters, symbols and numbers. It should also be more than twenty characters long.

Recommendation: Create a strong passphrase

To enable WPA wireless on the Windows client:

The same key and information should be entered on the access point to create the connection.

While using a pre-shared key is much easier to configure for a SOHO option, it is less secure and less scalable. Most wireless access points and routers only allow a single key to be entered. This means that every user will have to enter the same network key to get on the network. When using 802.1x, a certificate can be created for every user which adds a significant amount of security to the network. A certificate is essentially a file which ties and individual to a set of keys. The keys are then used for a number of security processes including encryption and authentication.

We've talked about the common forms of encryption that are included with most wireless networking devices. They should, by all means, be used to help secure wireless communication, but they are also not all that can be done to encrypt data. More complex networks can encrypt data on a different level as well. For example, when you log into a secure website on the Internet, the traffic that is exchanged between your computer and the secure website is encrypted. So if you were to set up your wireless network with WPA or WEP and visit a secure website, all data between your client computer and the secure website would be encrypted. Then the encrypted traffic would be encrypted again between your computer and the wireless router or access point. More advanced techniques using encryption such as Virtual Private Networks (VPN) and Secure Shell (SSH) communications will be addressed in subsequent sections.

2. Authentication

One of the cornerstones to network security is a strong authentication scheme. It is well documented that WEP as an authentication protocol (as well as encryption scheme) is weak. Even if a strong encryption scheme is available, that security is meaningless if anyone is allowed on the network as a result of a weak authentication scheme. After all, even the strongest locks won't do much if the key is handed out to anyone who says they deserve it. Strong authentication is a necessity for a wireless network. Often, as is the case with WEP, the passphrase or key is used to authenticate the client on the network. Those that know the key can get on, and those that don't know the key, don't get on the network. There are alternatives which provide a much more robust authentication policy.

Recommendation: If possible, use 802.1X for authentication

802.1x is a port authentication protocol that was originally created for wired networks but have become very popular in wireless networking. Access points and wireless routers can be made to use 802.1x to authenticate clients before it allows that client access to the wireless network. There are three physical components to the 802.1x authentication process: the supplicant, the authentication server, and the authenticator. The supplicant is the computer or device that wishes to have access on the network. The authentication server is the device that performs the authentication. One of the most common types of servers that perform this task is a RADIUS server, but some access points have built in authentication server capabilities. The authenticator is the device that sits between the supplicant and the authentication server. It acts as a gatekeeper to the network which only opens the gate when the authentication server says it's okay .

The supplicant starts the process by attempting to access the network resources. This triggers a request by the authenticator for information about the identity of the supplicant. The supplicant provides this information and the authenticator forwards it to the authentication server. The authentication server then processes this information and usually sends a challenge to the supplicant through the authenticator. This challenge could be a nonce which needs to be encrypted or it could be some kind of token. The actual authentication mechanism is flexible and can vary between implementations. Because of the different ways that the authentication mechanism can be implemented, some mechanisms are easier to break than others. When the supplicant responds to the challenge, the authenticator forwards this information on to the authentication server for processing. The authentication server then determines whether or not the supplicant should be granted access.

Although this process was originally developed for wired networks, it has been adopted by the 802.11i committee for use in wireless applications. In a wireless environment, the supplicant is a wireless client wishing to connect to the wireless network. The authentication server can still be a RADIUS server, but the authenticator is usually a wireless access point. Since one of the problems with WEP is key management, 802.1x can be very useful in a WEP environment. Any time a single key is used for an entire network, there will be security and scalability issues. The central server can provide clients with different keys, and even require a key change after a preset amount of time or data transmission. In a wireless environment, this is especially beneficial because it can change the secret key used by WEP and give different keys to clients.

Some access points have an internal RADIUS server which can provide 802.1X authentication for wireless clients. Other systems require the use of separate RADIUS server. One can be built relatively easily for free on a Linux based server by using FreeRADIUS (http://www.freeradius.org) and OpenSSL (http://www.openssl.org).

To enable 802.1X authentication on the Windows client:

When the certificates have been installed for the appropriate wireless network, Windows will authenticate the computer seamlessly with the RADIUS server. All this will happen transparently. From an administration point of view, management of users is much easier because it can be controlled on a per-user basis. When a single user needs to be removed from the network, their certification can be put on a revocation list which will not affect the other users on the network. Now the administrator will not have to re-key all the clients each time someone leaves the company. It actually eliminates the usage of passphrase entirely in lieu of a certificate based system. Additionally, not only does the user have to authenticate to the network, the network actually authenticates itself to the user. This helps protect against man-in-the-middle attacks from malicious hackers.

3. Signal Strength and RF

One of the most common pictures of wireless hacking is from the car in the parking lot because the signal bleed from the access point from its location is large. While cranking the power up on an access point will definitely increase the range and possibly the throughput of the wireless signal, this benefits the hackers as well. The best policy is to allow the minimum signal necessary for appropriate connectivity.

Most, if not all, access points are shipped with the transmit power set to full strength. Typically this is done so that the wireless network device is working most effectively right out of the box. People just don't take the time to go back and test to find the best match for security and usability for their particular needs. Manufacturers have no idea what the physical layout of the place where the device is going to be installed. It's possible that there are very little obstructions to interfere with the RF signal, in which case the power level can be set very low. In situations were there are numerous walls, telephones, microwaves, etc, the signal strength will have to be kept at a higher level.

Recommendation: Do extensive testing to find the optimal power level

There are a number of ways to test signal strength of wireless network devices. Sophisticated signal strength measuring devices are available that can give a variety of metrics. They can use a map of the physical building and infrastructure and map the signal strength on it with lots of pretty colors. For enterprise level networks, this can be extremely useful, but for a small office/home office setting, this is unnecessary and impractical. We recommend using a device that can give a quantitative value of the signal based on the network SSID. The best way to do this is to download a program that can use the wireless radio with your computer to output the signal strength. This has a number of advantages over a third-party device. It uses the same networking equipment that is used to connect and use the network. It is also usually cheaper and easier to use. It also has the advantage of using the radio that will be used in the wireless network. Sometimes testing equipment can have more sensitive radios which lead to different readings than would be experienced with the network equipment. One of the most popular programs that can be downloaded for free is NetStumbler. While it will only show wireless networks that broadcast the SSID (more on that later), it can be very useful in finding the optimal power level of your network. Simply keep the SSID broadcast enabled until the right power level is found.

Simply start up the program and allow it to search for available signals. It will display all the networks that it can “see”. Depending on the software capabilities, the SSID might have to be broadcast in the beacon frames (for more info about this see the SSID section). As the software tool and its network interface card are moved farther from the wireless router or access point, the signal strength should decrease. Keep in mind that depending on the situation, results may not be as expected. The signal might reflect off of mirrors, glass, or walls; it may travel in ways that are not expected and lead to significantly stronger or weaker signals than expected.

It's important to realize that when dealing with RF wireless signals, it doesn't take much power to create a data connection. In fact, the maximum power level allowed by the FCC is 4 watts for a 802.11b or g access point or wireless router. When comparing this to a typical house light at 60W, it doesn't seem like much power at all. Often times, power measurements are expressed in decibels (dBm). This allows a much more usable scale to which power signals can be measured. The decibel scale is logarithmic so a change in +10 dBm is ten times the power in milliwatts (mW); +3 dBm is a doubling of the power. Somewhat counter intuitively, the measurement of 0 dBm doesn't mean that there is zero power, but rather it means 1 mW. So -10 dBm is the same as 0.1 mW and 10 dBm is 10 mW. When using a signal measurement tool, the signal from an access point is usually -15 dBm to -90 dBm meaning that the power can also be described as 0.0316 mW to 10 * 10 -10 mW. Obviously, it's easy to see that the less negative the number the more power.

Take signal measurements from all locations where wireless networking is going to be required. It is probably best to take measurements at different times of the day as well. It may sound strange but activities around the office or the house may affect signal strength and quality as well. When all the locations where optimum signal strength is needed has been measured, take measurements where the signal strength is not wanted. This mainly includes locations outside the house or building. It is here where malicious individuals can intercept the signals and use them to control the network, steal bandwidth, or conduct otherwise nefarious deeds. Pay special attention to locations around doors and windows because they provide the easiest path for RF signals to propagate. Remember that your neighbors are probably your worst enemies. While this may sound somewhat malicious, those in close proximity have the greatest opportunity and likely the best motive for intercepting your wireless signals. Another thing to take into consideration is interference. Since the 2.4 GHz band is rather crowded it's common to run into interference from portable phones, microwaves and other wireless devices.

We generally recommend a minimum signal strength of -75 dBm for decent wireless networking speeds. Specific needs may require faster speeds which in turn require a stronger signal. To determine what the minimum signal strength acceptable, perform typical tasks from locations that have varying levels of strength and see if those strengths allow the task to be done in an acceptable way.

Now that a minimum signal strength is found, tune down the strength on the wireless access point or router until all locations that legitimate networking will be used has the minimum proper strength. Hopefully this will still allow access from within the necessary locations but help stop leakage to the outside world where it can be picked up by someone who could use it to do bad things.

Wireless clients can also have different power levels for their antennas. Some are stronger than others. On some higher end equipment there is a mechanism where the wireless access point or router can tell the client what power level to transmit at.

Another aspect to RF signal and how it might affect the strength is the channel that the wireless device is using to send and receive data. In the 2.4GHz spectrum, which is used by the popular 802.11b and 802.11g devices, there are 14 channels which correspond to 12 different frequencies. Ideally, two different networks should operate on two channels that don't interfere with one another. For example, one network should operate at the low end of the channel range, maybe channel 1, and the other network would operate on channel 11 where it won't interfere with the other's signal. This should be done especially in situations where the wireless radios are placed in close proximity. For best results, use a signal strength tool that will display the channel being used along with the strength. Take note of the channel that is being used by networks close by and choose a channel that would have minimal interference with those networks. A popular rule of thumb is to use channels 1, 6 and 11 because they experience the least amount of interference with one another. In some large wireless networks, the radios will be programmed in such a way that a radio that uses channel 1 for example is surrounded with radios using channels 6 and 11, that way they don't interfere with one another.

4. Firewalls, MAC filters and Web Management

Wireless networking equipment manufactures have a tough line to walk. They must try to market their device to the largest possible group of consumers which means making it easy enough to use for almost everyone while keeping it secure enough to keep out the average hacker. As a result the security capabilities of the cheap stuff that you'll find in big box stores and computer shops leave something to be desired. They all pretty much boast the same round of features including MAC address filtering and firewalls. In this section we'll consider these give you the low-down on how to use them most effectively.

A security tool that is generally included in wireless access points is MAC address filtering. This allows the access point or the wireless router to ignore frames (little blocks of data which have been packaged for transmission) with a particular MAC address as the source address. MAC addresses are unique numbers that are found on nearly piece of networking equipment around. They are twelve characters long and contain numbers and the letters A-F (also called hexadecimal numbers). There are reasons why these numbers are unique but that discussion is beyond the scope of this book. One handy thing that can be done with unique addresses is associate an address to a computer, and by extension a person. Given a list of computers that are allowed on the network, the MAC addresses can be gathered and put on a list of devices allowed on the network. All other would then be banned. Unfortunately, a MAC address can easily be spoofed, or changed to match a different MAC. Consequently this protection has it's limitations on the skill level of the hacker that the network is being protected against, but it adds a significant layer of security that will foil some script kiddies. To take advantage of this utility, simply find the MAC addresses of all wireless network devices that will be connected to the access point or wireless router. The MAC address of a Windows device can be found by typing “ipconfig /all” from a command prompt. The MAC address is listed as the “Physical Address”. Simply add the MAC to the list of blocked or allowed devices on the network. Be careful, however, because computers that come equipped with a wireless network card will more than likely come with a wired network card as well. Make sure to write down the correct MAC address (it's the Physical Address) to allow through. We would also recommend that these additions should be made from a computer using the wired connection. This way, any mistakes that are made can be corrected without locking the administering computer out of the network device.

Recommendation: Use MAC address filtering

Another important aspect to using this type of security is that each new device that is to be added to the network needs to be included in the MAC address filter. Forgetting that can lead to some unpleasant troubleshooting.

Many wireless routers come with other “firewall” functionalities. This varies greatly depending on the manufacturer but some of the common features are IP address and protocol blocking, access based on time, and NATting. While these don't amount to a very sophisticated security platform, they will help thwart attacks by a semi-intelligent attacker. The process of NAT or network address translation, converts a private IP address to a public one and vise versa. It can be done in a number of ways, but the most common on SOHO wireless routers is to run a DHCP server that hands out private IP addresses (typically in the 192.168.0.0/16 range). These addresses are then converted to the WAN address of the wireless router. When a packet comes back from the Internet to the wireless router, it looks up the source addresses and port along with the destination port in a table that it keeps to determine what internal device it should be sent to. This way, outside computers and attackers can establish a connection with a device behind the wireless router until a special rule is created. This is, at least, how it would work on a typical secure network. In dealing with wireless, a little more thought and consideration has to be taken in designing the network. The biggest difference is the ability for someone to connect to the wireless network, act as a host behind the router, and access all other network devices that are attached to the trusted (inside) of the network. If someone could connect because there weren't authentication, MAC filters, and other security devices, all the NAT in the world would be able to stop someone from controlling the network. This is one of the problems with securing wireless networks. In a sense, the way in which wireless clients are treated is exactly backwards in off the shelf wireless routers and access points. We will discuss this more in the second on network design.

To differentiate the firewall used in most wireless appliance and supplicated firewalls used in enterprise level environments, we will call the wireless version protocol filters. The most sophisticated wireless firewalls will allow you to block traffic based on an IP address, protocol, and possibly time of day. Every computer on the network will have a different IP address that allows it talk on the Internet. This address can be used to block and allow certain communications on the network.

Recommendation: Use the built in protocol filter as much as possible

It is important to know that the most dangerous traffic on the network is what is called the egress traffic. This is the traffic that leaves the network destined for the Internet. This is somewhat counter intuitive because one would think that hackers coming from the Internet would be the most dangerous to the network. That's not to say that one can ignore the ingress traffic (from the Internet), but a proper firewall policy should be well rounded. While the rules for creating an effective firewall are beyond the scope of this book, here is a good start to building some firewall rules.

In the creation of these rules we have made a few assumptions that are worth noting. If your network design does not match these assumptions, there is a possibility that one or more of these rules will cause more harm than good on your network. Remember to use with caution. It also probably wouldn't be a bad idea to apply these rules a little at a time so if something were to break the culprit could be found and corrected quickly. As an example, some types of VPN connections rely on traffic that could be blocked by a tight firewall. Certain types of network connections like this need special consideration when dealing with firewalls.

We're assuming that your network is a relatively small with no services (like web pages, databases, etc) that need to be accessed from the Internet. The network's interaction with the Internet cloud is simply to send and receive e-mail, browse websites (both secure and unsecure), and perhaps some other typical uses.

The first general rule in rule creation is to block all inbound connections to your network. Your network should not be accepting incoming connections from the Internet. In the process of downloaded e-mail or webpages, data will have to be sent back to your computer, but these types of connections are started from inside your network (hopefully by you) and don't constitute incoming connections. The next rule we will describe generally and try to instantiate it as best we can for the type of network we are considering. Block all outbound traffic to the Internet unless it is necessary for your needs. In this case, we described web browsing to secure and unsecure sites. This suggests the TCP ports of 443 and 80 respectively. Also e-mail usage is needed so we would allow TCP ports 25 and 110 (or 143). There are a few other things that have to be allowed as well. Protocols like DNS, which translate http://www.berghel.net to 131.216.119.55. Without this, you would have to remember the number version instead of the easier to remember URL version. The problem that crops up is how many of these ports are needed which aren't readily apparent to the average computer user? The answer is only a few. Thusly it is a pretty safe bet that you could probably block all outbound connections except the ones we've listed assuming you have similar Internet needs. Another point worth mentioning is that Internet connections have to parts, the destination address/port and the source address/port. When we say we want to allow port 25, we mean we want to allow a destination port of 25 not a source port. Get those confused and you are in for a world of hurt.

Here's a chart of ports that should generally be either allowed or blocked.

Port Number Service Action Use
135-137 TCP/UDP NetBIOS Block Windows file and printer sharing
445 TCP/UDP SMB Block Windows file and printer sharing
3389 TCP/UDP RDP Block Window Remote Desktop
25 SMTP Allow Internet Mail
110 POP3 Allow Internet Mail
143 IMAP Allow Internet Mail
80 HTTP Allow Web browsing
443 HTTPS Allow Encrypted Web Browsing
22 SSH Allow Secure Shell
23 Telnet Block Telnet
20 FTP Block File Transfer Protocol
21 FTP Block File Transfer Protocol
53 DNS Allow Domain Name Lookups

Keep in mind that firewall rule creation can often be a painful process. It is not uncommon to find that you have blocked a port that is vital to your Internet experience. A little trial and error will go along way. We suggest downloading TCPView from Sysinternals. This little program will show your all the TCP network connections that exist on your computer in realtime. From a tool like this you can gather more information about what your network requirements are.

Wireless network devices are most commonly configured through a web page interface. Generally anyone who connects to the internal wireless network can connect to this configuration interface and manage the device. This is why they make a password based login so only people who know the password can manage the device. That is why it is so important to choose a very difficult to guess password so a hacker can't run across it in an attack. The worst thing that can be done is leave the password as the default. There are numerous lists which have the all the different types of wireless devices and their corresponding passwords. The first password a hacker will try is the one that is shipped by default on the wireless device.

Recommendation: Change the default password for wireless device management.  Make the password strong.

Depending on the device chosen on the network, there are a large number of different options. More expensive access points will allow more complex settings like VLANs and multiple SSIDs. It is important to investigate the different options available and read about what they do. For example, some access points will allow the management of the device to happen on a completely different network than the one used by wireless clients. This is called VLAN segmentation. While the networks run on the same physical wire, clients are logically separate from the management of the device. Another example is the creation of an access control list (ACL) which limits the access to the management of the device. An ACL is a list of allow and deny statements that permit or block (respectively) access to a specific resource. In the case of management, an ACL can be created which limit the access to a certain known list of IP addresses. This type of ACL is a very important because it can control who can actually try to change settings in the device. So not only would an attacker have to guess the username and password of the device, they would have to find a way to the device through the appropriate routes.

5. SSID

When an 802.11 device like an access point or a wireless router is turned on and functioning properly, it will broadcast what are called beacon frames. These are little “hello” messages which are meant to tell everyone in the broadcast range that the network exists. There a number of nuggets of information contained in these beacon frames including the capabilities of the network, the support rates (how many bits per second), and each of the beacon frames carry a network identification name. This makes it possible for a client computer to display the available networks because they are constantly broadcasting the names. From a security prospective the SSID telling everyone about the network is not a good thing. The clients that need to know about the network should know about it without having to run across it with their computer's help. Those that don't know about the network shouldn't need to. Either way, the network shouldn't need to be shown to everyone as they move in and out of the network area.

Recommendation: Disable SSID broadcast

Having the network name is a requirement to connecting to the wireless network. Windows will find the networks (and sometimes try to connect) when the SSID is broadcast in the beacon frames. If, on the other hand, the SSID is not broadcast, it will have to be put manually in the wireless network configuration. There are a number of wireless wardriving utilities that rely on the names that are broadcast in the beacon frames to find and locate the networks. By turning off the SSID broadcast these utilities won't be able to detect your wireless network. While not all hacker utilities are this simple, it may stop the most basic of hackers from compromising your network. More advanced hackers can pull out the SSID from other bits of data that are transferred between clients and network devices so this is by no means a strong form of security but remember your goal: Be more secure than your neighbors.

The way in which this is done varies depending on the wireless network device used. Usually there's a wireless network configuration section that will allow you to configure settings like the speed, channels used, etc. The setting to turn off the SSID is often called the “SSID broadcast” and can be turned on or off.

Make sure that the network information is entered into each client that will connect to your network. If the SSID is not being broadcast, the client has to be told who to connect to. Then it will actively seek the network rather than listening for the available ones. Microsoft has a list of preferred networks that it will connect to if given the chance. To

Open “Network Connections”. This can be done through the Start menu or through the Control Panels.

Now the network will appear in the Preferred network window of the Wireless Network Connection Properties. The order in which these networks are tried are put in the window. Individual networks can be moved up or down as desired. Now when your client is within proximity of the network, it will be connected to.

6. Client Side Protections

Up to this point we've discussed different things that should be done on the network itself to help protect it but this section discusses something different. There are a number of things that should be done on the client computers to help protect them from attack from the network and the Internet in general. Client-side firewalls will watch the network traffic coming into and out of the computer to help make sure hackers can't identify and exploit. Because of the nature of wireless networking it is easier for an attacker to breach the defenses and get into the trusted side of the network. Once an attacker is inside the internal network, a client-side firewall is one of the most important things that can be used to protect the computer.

Recommendation: Use a software-based firewall on every computer

Most commercial software-based firewalls are ready to install and are pretty configured out-of-the-box. Often they will ask the user a lot of questions to determine whether certain programs should be allowed to access the Internet. As the firewalls are being trained as to which traffic is legitimate and which are not, they tend to be pretty obnoxious. However, if they are configured properly, they can provide a large increase in security to a desktop or laptop computer.

Recommendation: Use an anti-virus software package on every computer

Another aspect to regular security for computers is a good anti-virus program. AV programs seek out and destroy all signs of malware that enter your computer's life. Some are better than other's but most big brand names are sufficient to keep up with the little nasties that try to infect your computer. The biggest thing to remember with anti-virus and firewall software alike is to keep it up-to-date and use it! If your drives are not scanned regularly (we do it nightly), the programs leave room for malicious activities to occur.

Many people think that wireless hacking consist of gaining access to the network to see things like credit cards and passwords or to use the network to do things that can only be traced back to the victim's name. This is not really true. While these vulnerabilities are certainly a big part of breaking into a defenseless network, they are definitely not everything. Getting access to all the computers on the network are also very tempting to any hacker on the network. A hacker can then gain access to a computer and plant backdoors or rootkits to help keep a presence on the network. They can also install keystroke loggers to get the credit card numbers and passwords. Virtually everything that happens on the computer is open for the hacker to see. Even if the victim decides that a wireless network is no longer the way they want to do business, a good hacker will still have access to the computer and network. These are the types of problems that are stopped through the use of a firewall and anti-virus solution.

Recommendation: Keep all security software up to date

There are a number of other software packages that can be helpful to help maintain a secure working environment on your computer. These include an antispyware solution, an integrity checker, and an intrusion detection system. While they are a little more complicated to install, run and maintain, they provide another look at what is going on in the network. They are also very popular in a more enterprise level networking environment.

An antispyware program scans a computer system in much the same way as an anti-virus program would except that it searches for spyware which is qualitatively different than Trojan horses and viruses. Check the antivirus package that you have chosen because some include spyware scanning as well as viruses. We recommend a “total” security package which integrates an anti-virus, anti-spyware, and firewall. Usually there are a few other programs included as well which are designed to help increase the security of your computer. Some examples include Norton's Internet Security, McAfee's Internet Security Suite, and Panda's Platinum Internet Security. Spyware is a broad term that encompasses a number of different types of malicious software. It is usually used to classify software that is installed on a computer without the consent of the owner and has the ability to take control of some functions of the user's computer, such as gather credit card information, watch browsing habits, redirect web request to particular advertising servers, create pop-ups, and an endless array of annoying and dangerous activities. Unlike viruses and worms, spyware programs do not replicate and are often installed on a computer through typical web browsing. Lately spyware has become a bigger issue and it is not uncommon to have a large number of infections on a computer without realizing the problem. Often, however, such infections can slow a persons web browser to a crawl and produce a nasty array of unwanted popups and browser redirections.

Integrity checkers are programs that look at files on the hard drive they make a sort of footprint of the file and save it in a database. If the file changes later on, the fingerprint will also change. The new footprint is compared with the one in the database. If there is a change in a certain type of file, they will alert the administrator. One technique of hackers is to replace a critical application with one that does the same thing as the original plus a little extra. For example, they could replace the “dir” command so that it didn't show files that they hacker had added so someone searching for anomalies wouldn't be able to detect them. This kind of system takes a little more administration time because some files will change quite frequently normally so will alarm each scan. Care must be taken to tune the system so that alarms are legitimate but so that it isn't over tuned and critical files that are changed are alarmed on.

Intrusion detection systems (IDS) watch network traffic and note anomalies or problems with the traffic. Typically there are a number of rules that used to check the traffic against. As the traffic comes into the IDS, it is checked against the rules to see if there is a match. If there is a match, an alarm is raised to alert the administrator. Like the integrity checker, it requires a significant amount of administration because the rules have to updated and tuned.

7. VPNs

A virtual private network (VPN) that is setup between to otherwise separate networks. For example, two LANs that are located in different parts of a city (or larger geographic area) can be virtually connected together with a VPN. The VPN can encrypt data between the two end points for additional security. Usually VPNs are created between a client computer (using software) and some other end-point which could be software running on a server or a network device specially made for VPN termination. A VPN can also be created between two network devices as a more permanent security solution.

Recommendation: If at all possible, use a VPN when connected to a wireless network

Since VPNs can be established by using a client utility on the computer and have it terminated on some sort of hardware device, it is perfect for wireless networks. Once connected to wirelessly, a VPN can be created that creates a secure tunnel through which all the traffic will flow. People listening to the wireless signals will only be able to see the jumbled data because it's encrypted. Depending on where the VPN connects, it will also provide another stage of authentication that is not inherently available on wireless networks.

The process in creating a VPN connection is sometimes complicated depending on the implementation. There are often a large number of options which can be daunting at best. While the ins and outs of how to create the VPN connection are best left to the User's Manual included with your hardware or software, we'll try to provide some basic pointers.

Recommendation : Use IPSec as the VPN protocol

There are a number of different underlying VPN protocols that can be used. Some of the more popular protocols include PPTP, L2TP, IPSec, and SSL. While PPTP is commonly used, it is generally regarded as weaker than IPSec because of the authentication protocols that are available. Remember that if anyone can authenticate to a secure network, the network is not secure. IPSec VPN clients are some of the most popular and can be used on a Microsoft Windows based platform.

Authentication with IPSec be done in a number of ways but it is common to use a pre-shared key much in the same way a WPA-PSK wireless connection can be setup. The same rules apply in picking a pre-shared key in a VPN setting, namely use something long and complex. Of course certificates can be used as well and provide a more manageable solution for larger situations.

An access list of IPs that are allowed to connect to the VPN can be created. Use this to block out IPs that should not be connecting to the network.

Use Tunnel mode. The other option is Transport mode and it is mainly used for different applications.

Choose ESP as the IPSec protocol over AH. ESP provides authentication and encryption capabilities. There are often a number of choices of encryption protocols to use to hide the data that is being sent from one point to another. Choose AES over the other encryption techniques.

8. Logging

Logging can provide a look into the network and devices in a way that nothing else can. It can help to diagnose problems and see security problems. Most wireless networking devices have some sort of built in logging functionality. There is a different level of logging from device to device so your device might do a little better or worse than others. Sometimes they even have some sort mailing functionality where the log could be e-mailed to an address at regular intervals.

Recommendation: Enable all the logging you can

Logging analysis is a very important aspect to any security policy. Events should be carefully inspected and correlated. There are some events that are obvious and don't need much thought as to what they are. For example, lists of failed login attempts from a particular IP address are a pretty good indicator of someone trying to gain access to the system. Seeing this should alert you that your password should be strong and the possibly of limiting access to the network from this IP. You should probably block this IP to all internal hosts through the firewall.

One of the primary things to look for in a wireless environment is looking for associations to the network from wireless clients. If MAC address filtering is enabled, there should only be associating from clients that have those addresses. As mentioned earlier, there are ways to spoof MAC addresses so the logs should still be inspected for associations at times where the actual client wasn't connected.

Recommendation: Inspect the logs regularly

Knowing what is happening on the network is essential to a healthy network and the logs are a vital part to knowing what's going on. Over time you will begin to know the events that should be expected and those that are anomalous. This is an important aspect to network administration. Care also needs to be taken to make sure the logs are inspected regularly enough that events are missed. Since a small network device only has a small amount of storage space to save event logs, as more and more things are logged, older events that have been logged are copied over. By looking at the events often enough you can ensure that some events aren't lost.

Since log messages are pre-defined outputs, the same message will appear on every identical device. This can be used to find help on problems that are encountered on the network. Search engines such as Google can be searched to find what the message might mean if it isn't readily apparent. It's likely that many people have run into the same message before and have discussed it.

Advanced: SNMP

In addition to the help that logging gives users in finding and diagnosing problems that occur, there's a protocol that's used for management of devices. This protocol is called the Simple Network Management Protocol or SNMP. There are a number of uses of this protocol but the most relevant to our uses is traps. Essentially they are messages from a network device that tell of an event that has occurred. The messages follow a specific format that is best decoded by a SNMP trap receiver. Free trap receivers can be downloaded and installed (like Net-SNMP) which will allow you to view traps that are sent to the receiver. Generally SNMP traps aren't included in the cheaper wireless networking equipment purchased off the shelf.

SNMP traps provide a convenient way to see changes in the network such as links that go up and down or administration logins. In most smaller networks there is little advantage to using SNMP traps for monitoring but for a more complex network they could be the only way that notification of these types of changes are visible. There are some security risks in sending network traps through a public network. We recommend having the trap receiver on the same segment as device that it is receiving traps from, if at all possible. Otherwise a VPN should be created between the edge device of the network sending the traps and the trap receiver. This will encrypt the traffic so prying eyes can't get access to the information contained within the traps.

9. Man-in-the-Middle Attacks

One of the biggest problems with wireless networking is the problem of man-in-the-middle (MITM) attacks. The attacks are when an attacker intercepts the traffic as it passes between a client computer and a server. As the data is sent from one to the other, it passes through the attacker where it can be saved or modified. In a wired setting the attack happens a little like this: the attacker is on the same network as the victim and sends some packets over the network so the victim and the gateway can see it. These packets trick the devices on the network that the traffic going from the victim to the outside Internet must go through the attacker and vise versa. Now the attacker has total control over the traffic that passes between the Internet and the victim. The attacker can even fake the authentication that happens when a client connects to a secure website. This means that even secure websites aren't really secure.

One of the issues with wireless is that it isn't even that difficult to do man-in-the-middle attacks. An attack simply needs to create a fake access point that has the same footprint as the legitimate one and trick you into connecting to it. The attacker can force the connection to the legitimate access point off the air and in most cases your client machine will connect directly to the fake access point, probably even before you realize the connection was broken. Now all communication is going through the fake access point controlled by the hacker. This is just one of the ways that such an attack can happen but it's easy to see why this is such a problem in wireless networks.

Recommendation: Use static ARP entries for the wireless AP or router

To help protect against this, a static ARP entry can be created so that the logical address of the correct wireless access point or router is matched to a physical address and can't be changed. So when a hacker comes along and tries to tell every device on the network that that their computer is the wireless access point or router, the table won't be changed and foil the hacker's plans. The computers on the network will continue to use the physical address of the real device and not the hacker's device. Unfortunately, this is not without its problems. This is situation is only good if the physical and logical address of the network devices don't change. If they do change, the computers will still try to send their information to the old device. If the wireless access point or router is replaced, all the computers will have to be updated. Another problem that is probably more significant is the conflict of duplicate logical addresses. Every device on an IP network (which is the most common) has its own IP address, which is the logical address. It's possible, especially on wireless networks to have the same logical IP address used. Most devices made the by the same manufacturers use the same default logical address. So if a laptop is moved from one network to another, it's possible that the same logical address is used on both networks. They can't have the same physical address because every device should have a unique address. With the static ARP entry, the shared logical address is mapped to the same physical address. This means that the laptop won't be able to send information to the device with physical address that isn't in the static ARP table. It will have to be updated.

To create a static ARP entry in Windows:

For example if the IP address is 192.168.0.1 and the MAC is 00-90-D8-65-BB-45 you would type “arp –s 192.168.0.1 00-90-D8-65-BB-45”

Now all traffic that needs to be sent to the address of 192.168.0.1 will be sent to that particular physical address. This is especially important if 192.168.0.1 is the default gateway (which can be found when the command “ipconfig” is run from the command line). This is the place that all traffic bound for the Internet is sent. It is also the best place for a MITM attack.

Advanced: Custom Gateways

Throughout this book we've made the assumption that an inexpensive wireless router is being used. This serves as the default gateway for the network. Using software that is freely available on the Internet, one can build a wireless gateway which implements more security and monitoring capabilities than an off-the-shelf router. This is best implement through a Linux based computer with a wireless networking card. Security portals such as NoCat can be used to authenticate and encrypt users. NoCat can be installed on a Linux based access point. These types of access points can be implemented using software based access points such as HostAP.

10. Network Design

Network design can help wireless security quite a bit. Where the wireless network device is placed in the network can help lessen the impact of the wireless access by an intruder. The point at which users connect to the wireless network should not be considered part of the trusted side of the network. Often the mistake is made to allow wireless users the same access to the network as the wired users. There should be more authentication and security required for wireless users than wired users. Depending on the complexity of network, different access could be applied to different types of users.

Along these lines, the type of wireless devices has to do with how the network is setup. Access points are much simpler devices that are used to connect users to the network. Wireless routers work at higher level. They usually do address translation and offer more security.

Glossary


AP – Access Point. A wireless networking device which provides a bridge between the wired network and wireless clients.

ARP – Address Resolution Protocol. The protocol which is used to translate a physical address (MAC address) to a logical address (IP address).

ESP – Encapsulating Security Payload. A protocol that is part of IPsec which is used to provide encryption and integrity to communications. It can encrypt the entire network layer packet or just the transport layer packet and it is encapsulated in another IP packet.

IDS – Intrusion Detection System. A system which monitors traffic flowing through a network or device looking for possible security problems. Often the IDS is rule based which means that a number of statements describe which traffic is abnormal. Other IDSes are behavior based meaning it has a period of learning where it is taught what kind of traffic is normal and what is not. It then uses that information to make decisions about future traffic.

IPSec – IP Security Protocol. A set of protocols which provide secure communications over the Internet. It is popular in the use of VPNs.

MAC address – Media Access Control address. A unique physical address composed of 6-bytes which is assigned to each Ethernet NIC.

MITM – Man-in-the-Middle. An attack where the attacker positions him/herself between the client and server. The attacker can then see and modify all traffic which passes between the two.

Script Kiddies – A class of attacker who does not have a technical understanding of networking and programming in general. They use exploit tools which were created by others. They use these utilities without much regard for how they work. They are not very well regarded in either the network security or hacker communities.

SSID – Service Set Identifier. A network name that is given to a wireless network. It can be broadcast in the beacon frames by the wireless networking device but it is generally regarded as more secure if it is not.

TKIP – Temporal Key Integrity Protocol. A security mechanism that was created to help eliminate the problems with WEP encryption in wireless networks. It is a shell that fits over WEP that provides per-packet keying, enhanced message integrity, and a re-keying mechanism.

VPN – Virtual Private Network. A method of creating a network where only authorized users are allowed to connect. It uses encryption to create a “private” link between a remote network (or client) and local client (or network). This creates an encrypted channel over the Internet. It also has nearly eliminated the need for leased lines.

Wardriving – The practice of finding wireless networks. It is often done driving in a car with a high gain antenna trying to find as many access points and wireless routers as possible. Many people also use a GPS device to map all the networks that they find.

WEP – Wired Equivalent Privacy. An early encryption technique used in wireless networking. It was introduced to provide encryption and authentication in wireless networks. It was found later to be very insecure from a number of perspectives. It has been replaced by WPA.

WPA – Wi-Fi Protected Access. A subset of security protocols that were ratified in 802.11i. It is currently the most secure encryption protocol available for wireless networking equipment.