Republished with permission from
WatchGuard Technologies, Inc.
Stopping WiFi Intruders
[Editor's note: WatchGuard is proud to present the best article we've ever seen on securing wireless networks. With 15 practical steps you can take, and over 40 links to Web pages explaining various aspects of wireless security, Lisa's article provides a great starting point to help you do wireless as safely as it can be done today. Grab a cup of coffee (or whatever beverage helps you relax and think) and dive into this virtual encyclopedia of wireless. Enjoy! --Scott Pinzon]
802.11b wireless LANs (WLANs), commonly known as "WiFi", are spreading like wildfire in corporate networks, large and small. Companies are deploying WiFi in conference rooms, warehouses, and other "hot spots" to increase business efficiency. Rogue WLANs are springing up in labs, offices, and cubicles. According to WLANA, 4.5 million WiFi products were sold worldwide in 2001.
Think your company doesn't have WiFi? Think again. WiFi is creeping into corporate networks through that famous backdoor: the home office. According to Dell'Oro, WiFi SOHO revenue jumped to $200 million in 4Q01. Every consumer PC now ships with WiFi support in Windows XP. New laptops offer WiFi as a NIC option. Sub-$100 NICs, $200 gateways, and affordable WLAN kits have eliminated the financial barriers to entry for most techies.
Does your workforce travel? Wireless Internet access can be found in a growing number of hotels, conference centers, airports -- even your neighborhood Starbucks. Community networks like the Bay Area Wireless Users Group and Seattle Wireless make WiFi freely available to anyone passing through. It's never been easier to spy on your fellow traveler.
Even if your company is untouched by WiFi, that won't last long. Begin planning for WLAN deployment now by assessing security risks, developing policies, and implementing security measures to maintain the integrity and security of your company's network.
IEEE 802.11b standards include Shared Key authentication and Wired Equivalent Privacy (WEP) encryption. Most products offer these security measures, but surveys indicate nearly 70% of today's WLANs do not use them. In his 802.11-Planet conference keynote, WECA Marketing Co-Chair T. K. Tan said, "The most common WLAN mistake is that users get so excited about WiFi, they forget all about security."
Don't be one of those over-excited users. Remember that wireless is a broadcast radio medium, easy to "airtap" (the wireless equivalent of a wiretap -- see, "Wireless Networks Can Allow 'Airtapping'"). By default, most WiFi products are configured for Open System (null) authentication. Wireless sniffers like NetStumbler and AiroPeek can easily discover WiFi network interface cards (NICs), access points (APs), and networks. Using a NIC, antenna, GPS, and a sniffer, "war drivers" roam the streets, creating WiFi maps like this one.
WEP can prevent casual eavesdropping, but serious vulnerabilities have been identified by AT&T Labs, U. C. Berkeley, Intel, and University of Maryland researchers. Tools like AirSnort (covered in Wired magazine) and WEPCrack capture WiFi packets, exploiting weaknesses in the RC4 initialization vector and key schedule and enabling intruders to recover WEP keys. Unlike SSL/TLS or IPsec/IKE, 802.11b does not provide automated key distribution, so compromised keys are likely to remain in use for awhile.
WiFi Security Checklist
IEEE 802.1x and .11i task groups are busy developing better authentication, key distribution, and encryption standards for wireless. Until those improvements are ready, take these steps to secure the WiFi in your network today.
1. Each WiFi network is identified by a Service Set ID (SSID), used by NICs to associate with access points (APs). Factory-default SSIDs invite intruders. Configure long, hard-to-guess SSIDs. Disallow blank or “any” SSIDs. If your AP permits, turn off beacon packets that broadcast SSID. SSIDs may still be sniffed by intruders, but visitor or neighbor NICs are less likely to accidentally associate with your AP.
2. Inventory MAC addresses so that your AP can deny access to lost or stolen NICs. Some APs can check MAC addresses by consulting a local access control list (ACL) or RADIUS server. Although MAC addresses can be forged, MAC ACLs can be your first line of defense.
3. Extend LAN-level security into the wired subnet behind your AP. For example, use static ARP on that subnet to prevent ARP cache poisoning by intruder NICs. Use 802.1Q VLAN tagging to segregate wireless traffic as it moves through your wired network.
4. Don't let your AP's Dynamic Host Control Protocol (DHCP) server lease dynamic IPs to just anyone. An intruder that associates with your AP still needs a valid IP address to access your wired network. Configure your AP to hand out static IPs only to authorized MACs.
5. Treat WLANs as untrusted networks! Many rogue APs -- and a surprising number of authorized APs -- are incorrectly deployed behind corporate firewalls. Insert a firewall between wireless APs and your corporate network or deploy APs behind your Firebox’s DMZ interface. Use Firebox rules and authentication to ensure that only authorized users can gain access to wired network resources.
6. Secure wireless APs and client PCs as you would any other public-facing device. On your AP, turn off unused services, configure strong passwords, and use secure management channels. On your client PCs, deploy anti-virus and personal firewall software to prevent exploits. To limit exposure in peer-to-peer wireless attacks from other PCs accessing the network, disable file sharing, and consider encrypting the files on your hard drives.
Users surfing the Web over wireless may think they have nothing to hide. Unfortunately, cleartext WiFi is at risk for many other attacks. Wireless sniffers and tools like dsniff and WebSpy can grab MAC, IP, and e-mail addresses, server names, logins and passwords -- juicy tidbits an intruder can stockpile and exploit at his leisure. Furthermore, tools from the dsniff suite (e. g., arpspoof and dnsspoof) enable wireless session hijacking. Because there is no way to stop intruders from transmitting, wireless channels can be jammed and APs can be subjected to DoS attacks. Cryptographic protection can reduce these risks.
7. Unless you employ cryptographic protection at another level (see 9-11), turn Wired Equivalent Privacy (WEP) on. Avoid weak keys and 40-bit ASCII key generators. Steer clear of NICs that start the WEP initialization vector at 0, incrementing by 1. WEP keys are shared by all NICs connected to an AP, so consider risk of theft when using products that store cleartext WEP keys on disk or NIC (Cisco Aironet 340).
8. Update your WEP keys at regular intervals. Manual key updates are really only practical in SOHO and small business WLANs. Larger WLANs can benefit from WiFi products that automate key derivation and distribution, like Cisco Aironet (LEAP), Agere ORiNOCO (Diffie Hellman, EAP) or NextComm (Key Hopping).
9. If you have a mobile user VPN for remote access, extend it to WiFi clients. Use existing PPTP or IPsec client software to tunnel through APs to your Firebox. If your Firebox is heavily utilized, increase capacity -- 802.11b WLANs can push up to 11 Mbps. Alternatively, consider using a wireless access concentrator with built-in PPTP/IPsec, like the Bluesocket WG-1000.
10. WiFi clients that roam from AP to AP receive new IP addresses, requiring PPTP or IPsec tunnel re-establishment. If your clients really need to roam without session interruption, consider deploying a wireless "VPN" based on proprietary (NetMotion), WTLS (Columbitech), or Mobile IP (Ecutel) protocols.
11. If you use any of the following measures to secure remote access to your corporate network today, apply them to WiFi clients as well: SSH and SFTP can authenticate and encrypt WiFi client access to e-mail and file servers on your wired network. SSL/TLS can secure wireless access to Web portals. E-mail over wireless can be protected with PGP or S/MIME.
12. As you roll out Windows XP and Public Key Infrastructure, consider authenticating WiFi clients with computer certificates. By combining Windows XP with APs and RADIUS/Kerberos servers that support 802.1x, you can block AP access by unauthorized NICs. Windows XP uses Extensible Authentication Protocol - Transport Layer Security (EAP-TLS) to create a mutually-authenticated, encrypted path for port-level authentication and session key delivery, eliminating manual key distribution and reducing the risk of compromised keys.
Forewarned Is Forearmed
Begin your WiFi rollout with a thorough vulnerability assessment. Assess business needs and WiFi risks, developing a wireless security policy for your company. Implement the measures enumerated here and elsewhere to reflect your policy. Repeat your vulnerability assessment at regular intervals.
14. To dig deeper, use a commercial tool like NAI Sniffer Wireless or WildPackets AiroPeek to examine wireless and adjacent wired network traffic. Watch for 802.11b associated requests with invalid SSIDs, unfamiliar MAC and IP addresses, rejected DHCP requests, or ICMP port unreachables to your DNS. Each may signal intruder activity.
15. Evaluate vulnerabilities associated with your APs and their placement in your wired network. Use vulnerability scanners or consulting services specifically designed to assess wireless APs (for example, Cigital). Use active intrusion detection to monitor ongoing activity near your AP (for example, ISS RealSecure IDS).
Of course, you should assess your WiFi signal coverage, positioning antennas to minimize leakage and reduce your exposure to AP DoS attacks. When doing so, think several hundred feet in 3D. Walls and floors may reduce signal strength, but never count on them to protect your WLAN from intruders. There are no short cuts. If you want to keep your network secure, you have to deploy appropriate security measures to address the risks inherent in 802.11b wireless. ##
"Wireless Insecurities": Information Security cover story, January 2002, covering PDA weaknesses and wireless VPNs
For more helpful articles, see our LiveSecurity Archive.
Copyright© 2002, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.
Copyright © 1996 - 2002
WatchGuard Technologies, Inc. All rights reserved.