Republished with permission from
WatchGuard Technologies, Inc.
Tools and Tactics for Safer WLAN Deployment
by David M. Piscitello, President, Core Competence, Inc.
One of the attractive aspects of wireless LANs is that they are so easy to install. And while it's true that eliminating wiring dramatically reduces the lead-time to deployment, you can't simply set up an access point and begin broadcasting. Just as you develop a wiring plan for Ethernets, you must develop a "radio plan" for WLANs. Moreover, you must appreciate that WLANs use unlicensed radio spectrum that's available to anyone with a transmitter or receiver, regardless of whether they have good or evil intentions.
Applying the right tools greatly simplifies the process of assessing your WLAN security policy and implementation. This article discusses several Windows-based, free-, share-, and commercial-ware tools you can use to perform site surveys, and to discover and audit WLAN activity. These seemingly mundane activities are essential to securing networks once wireless LAN technology has been introduced.
The purpose of a site survey is to identify the optimum placement of WLAN access points for the best performance, least interference, least overlap from neighboring organizations, and least exposure to unauthorized use of your infrastructure. Elements of a surveyor's toolkit often begin with pencils and paper, or vinyl sheet protectors and markers.
Prior to conducting your survey, identify your WLAN user population, applications, and security requirements (hopefully, found in your policy!). Obtain or draw building and floor plans for locations where you deploy WLANs. Identify:
Consider these carefully, and then mark your (intended) placement of access points on your plans and drawings.
Identify potential AP placement problems on paper. Most access points come with an omni-directional dipole antenna. A dipole antenna radiates radio transmissions equally in all directions, assuming the absence of obstructions and interference. Set a compass to the maximum radius of radio transmission (refer to your AP's specs), and draw the "sphere" of each access point's radiant energy. If the sphere radiates radio frequency (RF) beyond your security comfort zone, you can relocate the APs or change antennae. Many enterprise-class APs accommodate different antenna types: if you intend to locate access points in long corridors, or building corners, consider using a semi-directional (patch or YAGI) antenna. Two good resources for understanding antennae are: this paper by Cisco, and this book.
Identify the RF channels your APs will use. Keep in mind as you select channels that two APs on overlapping channels and in close proximity will interfere with each other, resulting in high error rates or jamming. Choose channels that are far enough apart (as in, channels 1, 6, and 11) to avoid this problem.
Monitor RF signal and channel reception to confirm that:
For this, you need sturdy walking shoes and something that can detect and measure WLAN radio signals. Most WLAN PC and Compact Flash cards have utilities that measure signal strength, achievable bandwidth, noise and Signal-to-Noise-Ratio (SNR) of the channel configured for the card. Freeware "war-driving" tools like netStumbler, ministumbler, and aerosol will scan all channels for signal and IEEE 802.11 beacon frames emanating from APs. Paired with a Global Positioning System connected to your handheld or laptop, netStumbler will even provide the geographic location (latitude and longitude) of APs it locates.
A disciplined walk around the perimeter of buildings, offices, or your "campus" with a wireless-enabled laptop or handheld device, and one of these tools, might be all you need for determining whether you've adequately reduced your exposure, but some caveats apply. Surveyors may not be able to travel unrestricted in a multi-story office building, and GPS, which relies on satellite reception, may not work well indoors. Also remember that it's unlikely you can entirely confine radio transmission from your APs (and clients) within physically secured premises. Bear in mind that sophisticated war-drivers will use more powerful antennae than you'll typically find in WLAN PC cards. It's also a good idea to carry some documentation authorizing you to perform this penetration testing activity: laws against war-driving are beginning to appear in several states, and even where laws are not in place, law enforcement personnel now take a dim view of perceived war-driving activity.
In addition to assisting you in your site survey, the 'stumblers, AP sniffers, and WLAN NIC utilities will help you perform basic WLAN discovery operations. During this phase, you want to enumerate SSIDs in use and identify any peer to peer (ad hoc) WLANs operated. Confirm SSIDs in use conform to your policy; e.g., are long and hard-to-guess, not default or blank. Locate the operators of rogue APs and ad hoc networks and either shut them down or bring them under your administrative control. If you have a gadget budget, you might want to look at handheld devices and adapters designed for WLAN discovery such as AirMagnet and WaveRunner. In addition to serving as deployment verification tools, they can also serve you well when you must troubleshoot wireless network, assess capacity and utilization, etc.
WLAN Security Auditing
In addition to the typical information you would gather in a security audit, you'll want to enumerate the MAC addresses operating on your WLANs, confirm that your APs and clients use WEP, and learn whether IEEE 802.11 beacon frame broadcasts are suppressed (if this is how you configured your AP to operate). Any LAN analyzer that can scan radio channels and parse 802.11 is good for these tasks. In addition, LAN analyzers that can parse application payloads are also good for identifying protocols in use, servers and shares accessed from the WLAN, etc.
Commercial WLAN analysis software like AiroPeek and Surveyor Wireless capture and parse IEEE 802.11 management and Ethernet-framed traffic, and can be used to enumerate active MAC addresses, IP addresses in use, protocols used, servers accessed, file and printer shares, etc. For those with a freeware budget, Ethereal can capture Ethernet framed traffic, so is helpful in identifying MAC and IP addresses, etc., but there's currently no IEEE 802.11 management frame support with any NIC under Windows, and only a few under Linux.
WLAN Vulnerability Assessment
You can scan APs and WLAN clients using many of the free- and shareware tools we've mentioned in earlier columns (nmap, superscan, GNIT, CIS...). In particular, look for telnet, html and SSH "listening" services on your APs. These services are commonly used for AP management, so confirm they have been password protected. Then take advantage of any self-protecting access controls the APs might offer.
Some commercial network vulnerability assessment tools are WLAN-specific: Wireless Scanner, for example, probes WLAN from the wired LAN and reports on security violations and vulnerabilities the scanner was able to exploit. Its manufacturer, ISS, also does a good job of explaining how you can mitigate the vulnerabilities identified.
"Only the beginning... What I want to feel forever..."
Sixties music lovers in general and Chicago Transit Authority junkies in particular will recognize this line from the song, "Beginnings." At the risk of dating myself, the music is très apropos (wait while I turn off my black light). What you want to "feel forever" is secure in your WLAN deployment. Careful planning, surveying, discovery and assessment are critical to reducing exposure that WLANs introduce.
But it's "only just the start..." I recently wrote a white paper for WatchGuard entitled, "Security Out of Thin Air: Layered Security Practices for Incorporating Wireless LANS into Intranets." The paper provides a checklist for implementing physical, infrastructure, and perimeter security for WLANs. Now that we've armed you with the tools for these practices for creating security out of thin air, read (or re-read) the white paper, and make certain you implement the remaining layered security practices described therein.
Then repeat your site survey and vulnerability assessment on a regular basis, and conduct periodic spot check or continuous WLAN analyses, depending on your requirements, time and talent. You wouldn't look at your firewall log just once to see whether your protected network was safe – you keep analyzing it for changes and adapting your security measures. The same holds true for WLANs.##
Copyright© 2003, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.
Copyright © 1996 - 2003
WatchGuard Technologies, Inc. All rights reserved.