Stopping WiFi Intruders
by Lisa Phifer, Vice President, Core Competence
[Editor's note: WatchGuard is proud to present the best
article we've ever seen on securing wireless networks. With 15 practical steps you
can take, and over 40 links to Web pages explaining various aspects of wireless
security, Lisa's article provides a great starting point to help you do wireless
as safely as it can be done today. Grab a cup of coffee (or whatever beverage
helps you relax and think) and dive into this virtual encyclopedia of wireless.
Enjoy! --Scott Pinzon]
wireless LANs (WLANs), commonly known as "WiFi",
are spreading like wildfire in corporate networks, large and small. Companies
are deploying WiFi in conference rooms, warehouses, and other "hot
spots" to increase business efficiency. Rogue WLANs are springing up in
labs, offices, and cubicles. According to WLANA,
4.5 million WiFi products were sold worldwide in 2001.
your company doesn't have WiFi? Think again. WiFi is creeping into corporate
networks through that famous backdoor: the home office. According to Dell'Oro,
WiFi SOHO revenue jumped to $200 million in 4Q01. Every consumer PC now ships
with WiFi support in Windows XP. New laptops offer WiFi as a NIC option.
Sub-$100 NICs, $200 gateways, and affordable WLAN kits have eliminated the
financial barriers to entry for most techies.
your workforce travel? Wireless Internet access can be found in a growing number
of hotels, conference centers, airports -- even your neighborhood Starbucks.
Community networks like the Bay Area Wireless
Users Group and Seattle Wireless
make WiFi freely available to anyone passing through. It's never been easier to
spy on your fellow traveler.
if your company is untouched by WiFi,
that won't last long. Begin planning for WLAN deployment now by assessing
security risks, developing policies, and implementing security measures to
maintain the integrity and security of your company's network.
802.11b standards include Shared Key authentication and Wired Equivalent Privacy
(WEP) encryption. Most products offer these security measures, but surveys
indicate nearly 70% of today's WLANs do not use them. In his 802.11-Planet
conference keynote, WECA Marketing Co-Chair T. K. Tan said, "The most common
WLAN mistake is that users get so excited about WiFi, they forget all about
be one of those over-excited users. Remember that wireless is a broadcast radio medium, easy to "airtap" (the wireless equivalent of a wiretap -- see, "Wireless
Networks Can Allow 'Airtapping'"). By default, most WiFi
products are configured for Open System (null) authentication. Wireless sniffers
and AiroPeek can easily discover WiFi network interface cards (NICs), access points (APs),
and networks. Using a NIC, antenna, GPS, and a sniffer, "war
drivers" roam the streets, creating WiFi maps like this
WEP can prevent casual eavesdropping, but serious vulnerabilities have been identified by AT&T
Labs, U. C.
and University of Maryland researchers. Tools like AirSnort (covered in Wired
magazine) and WEPCrack
capture WiFi packets, exploiting weaknesses in the RC4 initialization vector and
key schedule and enabling intruders
to recover WEP keys. Unlike SSL/TLS or IPsec/IKE, 802.11b does not provide
automated key distribution, so compromised keys are likely to remain in use for
WiFi Security Checklist
IEEE 802.1x and .11i task groups are busy developing better authentication, key
distribution, and encryption standards for wireless. Until those improvements
are ready, take these steps to secure the WiFi in your network today.
Each WiFi network is identified by a Service Set ID (SSID), used by NICs to
associate with access points (APs).
Factory-default SSIDs invite intruders. Configure long, hard-to-guess SSIDs.
Disallow blank or “any” SSIDs. If your AP permits, turn off beacon packets that broadcast SSID. SSIDs may still be sniffed by intruders, but
visitor or neighbor NICs are less likely to accidentally associate with your AP.
Inventory MAC addresses so that your AP can deny access to lost or stolen NICs.
Some APs can check MAC addresses by consulting a local access control list (ACL)
or RADIUS server. Although MAC addresses can be forged, MAC ACLs can be your
first line of defense.
Extend LAN-level security into the wired subnet behind your AP. For example, use
static ARP on that subnet to prevent ARP
cache poisoning by intruder NICs. Use 802.1Q VLAN tagging to segregate
wireless traffic as it moves through your wired network.
Don't let your AP's Dynamic Host Control Protocol (DHCP) server lease dynamic
IPs to just anyone. An intruder that associates with your AP still needs a valid
IP address to access your wired network. Configure your AP to hand out static
IPs only to authorized MACs.
Treat WLANs as untrusted networks! Many rogue APs -- and a surprising number of
authorized APs -- are incorrectly deployed behind corporate firewalls. Insert a firewall between wireless APs and your corporate
network or deploy APs behind your Firebox’s DMZ interface. Use Firebox rules and authentication to ensure that only authorized users can gain
access to wired network resources.
Secure wireless APs and client PCs as you would any other public-facing device.
On your AP, turn off unused services, configure strong passwords, and use secure
management channels. On your client PCs, deploy anti-virus and personal firewall
software to prevent exploits. To limit exposure in peer-to-peer wireless attacks
from other PCs accessing the network, disable file sharing, and consider
encrypting the files on your hard drives.
surfing the Web over wireless may
think they have nothing to hide. Unfortunately, cleartext WiFi is at risk for
many other attacks. Wireless sniffers and tools like dsniff
can grab MAC, IP, and e-mail addresses, server names, logins and passwords --
juicy tidbits an intruder can stockpile and exploit at his leisure (described in
Mugsy Plans a Cyber-Heist"). Furthermore, tools from the dsniff suite
(e. g., arpspoof and dnsspoof) enable wireless session
hijacking. Because there is
no way to stop intruders from transmitting, wireless channels can be jammed and
APs can be subjected to DoS attacks. Cryptographic protection can reduce these
Unless you employ cryptographic protection at another level (see 9-11), turn
Wired Equivalent Privacy (WEP) on. Avoid weak keys and 40-bit ASCII key
generators. Steer clear of NICs that start the WEP initialization vector at 0,
incrementing by 1. WEP keys are shared by all NICs connected to an AP, so consider risk of theft when using products that
store cleartext WEP keys on disk or NIC (Cisco
Update your WEP keys at regular intervals. Manual key updates are really only
practical in SOHO and small business WLANs. Larger WLANs can benefit from WiFi
products that automate key derivation and distribution, like Cisco
Aironet (LEAP), Agere ORiNOCO
(Diffie Hellman, EAP) or NextComm
If you have a mobile user VPN for remote access, extend it to WiFi clients. Use
existing PPTP or IPsec client software to tunnel through APs to your Firebox. If
your Firebox is heavily utilized, increase capacity -- 802.11b WLANs can push up to 11 Mbps. Alternatively, consider using a
wireless access concentrator with built-in PPTP/IPsec, like the Bluesocket
WiFi clients that roam from AP to AP receive
new IP addresses, requiring PPTP or IPsec tunnel re-establishment. If your
clients really need to roam without session interruption, consider deploying a
wireless "VPN" based on proprietary (NetMotion),
WTLS (Columbitech), or Mobile IP (Ecutel) protocols.
If you use any of the following measures to secure remote access to your
corporate network today, apply them to WiFi clients as well: SSH and SFTP can
authenticate and encrypt WiFi client access to e-mail and file servers on your
wired network. SSL/TLS can secure wireless access to Web portals. E-mail over
wireless can be protected with PGP or S/MIME.
As you roll out Windows
XP and Public Key Infrastructure, consider authenticating WiFi clients with
computer certificates. By combining Windows XP with APs and RADIUS/Kerberos
servers that support 802.1x, you can block AP access by unauthorized NICs.
Windows XP uses Extensible
Authentication Protocol - Transport Layer Security (EAP-TLS) to create a
mutually-authenticated, encrypted path for port-level authentication and session
key delivery, eliminating manual key distribution and reducing the risk of
Forewarned Is Forearmed
Begin your WiFi rollout with a thorough vulnerability assessment. Assess business
needs and WiFi risks, developing a wireless security policy for your company.
Implement the measures enumerated here and elsewhere to reflect your policy.
Repeat your vulnerability assessment at regular intervals.
Use shareware like NetStumbler
to discover authorized, unauthorized, and neighboring WLANs. Build an inventory
of APs and NICs, recording SSIDs, WiFi channels, and MAC addresses.
To dig deeper, use a commercial tool like NAI Sniffer
Wireless or WildPackets
AiroPeek to examine wireless and adjacent wired network traffic. Watch for
802.11b associated requests with invalid SSIDs, unfamiliar MAC and IP addresses,
rejected DHCP requests, or ICMP port unreachables to your DNS. Each may signal intruder activity.
Evaluate vulnerabilities associated with your APs and their placement in your wired
network. Use vulnerability scanners or consulting services specifically designed
to assess wireless APs (for example, Cigital).
Use active intrusion detection to monitor ongoing activity near your AP (for
example, ISS RealSecure IDS).
Of course, you should assess your WiFi signal coverage, positioning antennas to
minimize leakage and reduce your exposure to AP DoS attacks. When doing so,
think several hundred feet in 3D. Walls and floors may reduce signal strength,
but never count on them to protect
your WLAN from intruders. There are no short cuts. If you want to keep your
network secure, you have to deploy
appropriate security measures to address the risks inherent in 802.11b wireless.