Search in ISMS Guides


Thursday, July 26, 2007

Wireless LAN Security

From Wikipedia, the free encyclopedia

One issue with corporate wireless networks in general, and WLANs in particular, involves the need for security. Many early access points could not discern whether or not a particular user had authorization to access the network. Although this problem reflects issues that have long troubled many types of wired networks (it has been possible in the past for individuals to plug computers into randomly available Ethernet jacks and get access to a local network), this did not usually pose a significant problem, since many organizations had reasonably good physical security. However, the fact that radio signals bleed outside of buildings and across property lines makes physical security largely irrelevant to wardrivers. Such corporate issues are covered in wireless security.


Anyone within the geographical network range of an open, unencrypted wireless network can sniff on all the traffic, gain unauthorized access to internal network resources as well as to the Internet, possibly sending spam or doing other illegal actions using the owner's IP address, all of which are rare for home routers but may be significant concerns for office networks.

If router security is not activated, or if the owner deactivates it for convenience, it creates a free hotspot. Further, virtually all laptop PCs now have Wireless Networking built in (cf. Intel 'Centrino' technology), thus rendering redundant the need for a third-party adapter (usually a PCMCIA Card or USB dongle). These features might be enabled by default, without the owner ever realizing it, thus broadcasting the laptop's accessibility to any computer nearby.

Modern operating systems such as Linux, Mac OS, or Microsoft Windows XP as the 'standard' in home PCs make it very easy to set up a PC as a Wireless LAN 'basestation' and using Internet Connection Sharing, thus allowing all the PCs in the home to access the Internet via the 'base' PC. However, lack of knowledge about the security issues in setting up such systems often means that someone nearby, such as a next-door neighbor, may also use the internet connection. This is typically done without the wireless network owner's knowledge; it may even be without the knowledge of the intruding user if his computer automatically selects a nearby unsecured wireless network to use as an access point.

Conversely, weak as the default encryption of most routers may be, it often defeats a user's attempt to use his own laptop wirelessly at home.

Security options

There are three principal ways to secure a wireless network.

* For closed networks (like home users and organizations) the by far most common way is to configure access restrictions in the access points. Those restrictions may include encryption and checks on MAC address.
* For commercial providers, hotspots and large organizations, the preferred solution is often to have an open, unencrypted but completely isolated wireless network. The users will at first have no access to the internet nor to any local network resources. Commercial providers usually forward all web traffic to a captive portal which provides for payment and/or authorization. Another solution is to require the users to connect securely to a privileged network using VPN.
* Wireless networks are little more secure than wired ones; in many offices intruders can easily visit and hook up their own computer to the wired network without problems, gaining access to the network, and it's also often possible for remote intruders to gain access to the network through backdoors like Back Orifice. One general solution may be end-to-end encryption, with independent authentication on all resources that shouldn't be available to the public.

Access Control at the Access Point level

One of the simplest techniques is to only allow access from known, approved MAC addresses. However, this approach gives no security against sniffing, and client devices can easily spoof MAC addresses, leading to the need for more advanced security measures.

Another very simple technique is to have a secret ESSID (id/name of the wireless network), though anyone who studies the method will be able to sniff the ESSID.

Today all (or almost all) access points incorporate Wired Equivalent Privacy (WEP) encryption and most wireless routers are sold with WEP turned on. However, security analysts have criticized WEP's inadequacies, and the U.S. FBI has demonstrated the ability to break WEP protection in only 3 minutes using tools available to the general public (see aircrack).

The Wi-Fi Protected Access (WPA and WPA2) security protocols were later created to address these problems. If a weak password, such as a dictionary word or short character string is used, WPA and WPA2 can be cracked. Using a long enough random password (e.g. 14 random letters) or passphrase (e.g. 5 randomly chosen words) makes pre-shared key WPA virtually uncrackable. The second generation of the WPA security protocol (WPA2) is based on the final IEEE 802.11i amendment to the 802.11 standard and is eligible for FIPS 140-2 compliance. With all those encryption schemes, any client in the network that knows the keys can read all the traffic.

Restricted access networks

Solutions include a newer system for authentication, IEEE 802.1x, that promises to enhance security on both wired and wireless networks. Wireless access points that incorporate technologies like these often also have routers built in, thus becoming wireless gateways.

End-to-End encryption

One can argue that neither encryption in the router level nor VPN is good enough for protecting valuable data like passwords and personal emails; those technologies add encryption only to parts of the communication path, still allowing people to spy on the traffic if they have gained access to the wired network somehow. The solution may be encryption and authorization in the software layer, using technologies like SSL, SSH, GnuPG, PGP and similar.

The disadvantage with this approach is that it can be difficult to cover all the traffic - with encryption on the router level, or VPN, it's just one switch to get all traffic encrypted (even UDP and DNS lookups), while with end-to-end encryption, one has to "turn on encryption" for each and every service one wants to use, and quite often also for each and every connection. For sending emails, all the recipients must support the encryption and keys have to be exchanged. For web, not all web sites offer https - and even if using end-to-end-encryption on everything, the IP-addresses you communicate with will go in clear text. Say, if you frequent the Playboy Magazine, your mother-in-law may find it out, even if https hides the contents.

The most prized resource is often access to Internet. An office LAN owner seeking to restrict such access will face the non trivial enforcement task of having each user authenticate himself for the router.

Open Access Points

Today, there is almost full wireless network coverage in many urban areas - the infrastructure for the wireless community network (which some consider to be the future of the internet) is already in place. One could roam around and always be connected to Internet if the nodes were open to the public, but due to security concerns, most nodes are encrypted and the users don't know how to disable encryption. Many people consider it proper etiquette to leave access points open to the public, allowing free access to Internet. Others think the default encryption provides substantial protection at small inconvenience, against dangers of open access that they fear may be substantial even on a home DSL router.

The density of access points can even be a problem - there are a limited number of channels available, and they partly overlap. Each channel can handle multiple networks, but places with many private wireless networks (for example, apartment complexes), the limited number of Wi-Fi radio channels might cause slowness and other problems.

According to the advocates of Open Access Points, it shouldn't involve any significant risks to open up wireless networks for the public:

* The wireless network is after all confined to a small geographical area. A computer connected to the Internet and having improper configurations or other security problems can be exploited by anyone from anywhere in the world, while only clients in a small geographical range can exploit an open wireless access point. Thus the exposure is low with an open wireless access point, and the risks with having an open wireless network are small. However, one should be aware that an open wireless router will give access to the local network, often including access to file shares and printers.
* The only way to keep communication truly secure is to use end-to-end encryption. For example, when accessing an internet bank, one would almost always use strong encryption from the web browser and all the way to the bank - thus it shouldn't be risky to do banking over an unencrypted wireless network. The argument is that anyone can sniff the traffic applies to wired networks too, where system administrators and possible crackers have access to the links and can read the traffic. Also, anyone knowing the keys for an encrypted wireless network can gain access to the data being transferred over the network.
* If services like file shares, access to printers etc. are available on the local net, it is advisable to have authentication (i.e. by password) for accessing it (one should never assume that the private network is not accessible from the outside). Correctly set up, it should be safe to allow access to the local network to outsiders.
* With the most popular encryption algorithms today, a sniffer will usually be able to compute the network key in a few minutes.
* It is very common to pay a fixed monthly fee for the Internet connection, and not for the traffic - thus extra traffic will not hurt.
* Where Internet connections are plentiful and cheap, freeloaders will seldom be a prominent nuisance.

No comments: