Wireless security |
Wireless networks are very common, both for organizations and individuals. Many laptop computers have wireless cards pre-installed for the buyer. The ability to enter a network while mobile has great benefits. However, wireless networking has many security issues. Hackers have found wireless networks relatively easy to break into, and even use wireless technology to hack into non-wireless networks. Network administrators must be aware of these risks, and stay up-to-date on any new risks that arise. Also, users of wireless equipment must be aware of these risks, so as to take personal protective measures.
=Security Risks=
The risks to users of wireless technology are many and are growing as more people switch to wireless networks. When wireless was new the dangers were small. Hackers had not yet had time to latch on to the new technology and wireless was not commonly found in the work place. Currently, however; a great number of security risks are associated with wireless technology. Some issues are obvious and some are not. At a corporate level, it is the responsibility of the IT department to keep up to date with the types of threats and appropriate counter measures to deploy. Security threats are growing in the wireless arena. Hackers have learned that there is much vulnerability in the current wireless protocols, encryption methods, and in the carelessness and ignorance that exists at the user and corporate IT level. Hacking methods have become much more sophisticated and innovative with wireless. Hacking has become much easier and more accessible with easy-to-use Windows-based tools being made available on the web at no charge. IT personnel should be somewhat familiar with what these tools can do and how to counteract the hacking that stems from them.
==Wireless being used to hack into non-wired networks==
Some organizations that have no wireless access points installed do not feel that they need to address wireless security concerns. This is a common deceptive inference. In-Stat MDR and META Group have estimated that 95% of all corporate laptop computers that will be purchased in 2005 will be equipped with wireless. Issues can arise in a supposedly non-wireless organization when a wireless laptop is plugged into the corporate network. A hacker could sit out in the parking lot and break in through the wireless card on a laptop and gain access to the wired network. This problem is aggravated by what is referred to as the transient nature of wireless and Windows XP. The default settings for Windows causes a wireless laptop to be more than eager to make connections with any open network or access point that it can make a connection to. Another issue with companies that are not yet wireless is that they are not immune to well meaning employees bringing in their own access points. This can be a major security risk. If no security measures are implemented at these access points, it is no different than providing a patch cable out the back door for hackers to plug into whenever they wish.
=Types of unauthorized access to company networks=
==Accidental Association==
Unauthorized access to company wireless and wired networks can come from a number of different methods and intents. One of these methods is referred to as accidental association. This is when a user turns on their computer and it latches on to a wireless access point from a neighboring companys overlapping network. The user may not even know that this has occurred. However, this is a security breach in that proprietary company information is exposed and now there could exist a link from one company to the other. This is especially true if the laptop is also hooked to a wired network.
==Malicious Association==
Malicious associations are when wireless devices can be actively made by hackers to connect to a company network through their hacking laptop instead of a company access point (AP). These types of laptops are known as soft APs and are created when a hacker runs some software that makes his/her wireless network card look like a legitimate access point. Once the hacker has gained access, he/she can steal passwords, launch attacks on the wired network, or plant trojans. Since wireless networks operate in the Layer-2 world, Layer-3 protections such as network authentication and virtual private networks (VPNs) offer no protection. Wireless 802.1x authentications do help with protection but are still vulnerable to hacking. The idea behind this type of attack may not be to break into a VPN or other security measures. Most likely the hacker is just trying to take over the client at the Layer-2 level.
==Ad-Hoc Networks==
Ad-hoc networks also pose a large security threat. Ad-hoc networks are defined as peer to peer networks between two wireless computers that do not have an access point in between them. These types of networks usually have little security.
==Non-Traditional Networks==
Non-traditional networks such as personal network Bluetooth devices are not safe from hacking and should be regarded as a security risk. Even bar code scanners, handheld Personal digital assistants, and wireless printers and copiers should be secured. These non-traditional networks can be easily overlooked by IT personnel that have narrowly focused on laptops and APs.
==Identity Theft (MAC Spoofing)==
Identity theft (or MAC Spoofing) occurs when a hacker is able to listen in on network traffic and identify the MAC ID of a computer with network privileges. Most wireless systems allow some kind of MAC filtering to only allow authorized computers with specific MAC IDs to gain access and utilize the network. However, a number of programs exist that have network sniffing capabilities. Combine these programs with other software that allow a computer to pretend it has any MAC address that the hacker desires, and the hacker can easily get around that hurdle.
==Man-In-The-Middle Attacks==
A man-in-the-middle attack is one of the more sophisticated attacks that have been cleverly thought up by hackers. This attack revolves around the attacker enticing computers to log into his/her computer which is set up as a soft AP. Once this is done, the hacker connects to a real access point through another wireless card offering a steady flow of traffic through the transparent hacking computer to the real network. The hacker can then sniff the traffic for user names, passwords, credit card numbers...etc. One type of man-in-the-middle attack relies on security faults in challenge and handshake protocols. It is called a de-authentication attack. This attack forces AP-connected computers to drop their connections and reconnect with the hackers soft AP. Man-in-the-middle attacks are getting easier to pull off due to freeware such as LANjack and AirJack automating multiple steps of the process. What was once done by cutting edge hackers can now be done by less knowledgeable and skilled hackers sitting around public and private hot spots. Hotspots are particularly vulnerable to any attack since there is little to no security on these networks.
==Denial of Service==
A Denial of Service Attack occurs when an attacker continually bombards a targeted AP or network with bogus requests, premature successful connection messages, failure messages, and/or other commands. These cause legitimate users to not be able to get on the network and may even cause the network to crash. These attacks abuse protocols such as the Extensible Authentication Protocol (EAP) to carry out their dirty work.
==Network Injection==
The final attack to be covered is the network injection attack. A hacker can make use of AP points that are exposed to non-filtered network traffic. Specifically broadcast network traffic such as Spanning Tree (802.1D), OSPF, RIP, HSRPetc. The hacker injects bogus networking re-configuration commands that affect routers, switches, and intelligent hubs. A whole network can be brought down in this manner and require rebooting or even reprogramming of all intelligent networking devices.
=Counteracting Risks=
Risks from hackers are sure to remain with us for any foreseeable future. The challenge for IT personnel will be to keep one step ahead of hackers. Members of the IT field need to keep learning about the types of attacks and what counter measures are available.
==Methods of Counteracting Security Risks==
Fortunately, many different types of security are available today to help secure wireless networks. However, it should be noted that NO method is 100% hack proof. The best modern strategy available is to use many different security countermeasures in layers. The more layers: the more difficult it will be for hackers to gain and maintain a security breach, the smaller the hacker pool will become that can handle the sophistication of the hacking needed, and in some cases the greater the chance they will be discovered. If nothing else, the hackers will see how difficult your company network is to hack in and just move on to the company next door that will be a much easier hack. An analogy to this would be a person who secures their car in a bad neighborhood with a car alarm, a smart key system, and steering wheel locking device. Yes, someone can easily cut the steering wheel to remove the locking device. Yes, there are people that can disable a car alarm. Yes, I am sure there are ways for a sophisticated crook to even outsmart the smart key system. However, unless a car thief is really up for a challenge, he/she will just walk on by and look for a car that is much easier pickings. There are four items to keep in mind with security: :# All wireless LAN devices need to be secured :# All company communications need to be secured :# All employees and contractors need to be educated and kept up to date on security :# All company networks need to be actively monitored for security and compliance The first item on the list is a real source of danger that people tend not to think about. Not only do laptops have to contain updated virus and firewall programs, but wireless connections must be controlled and monitored. Windows and third party setup programs both come with the ability to set up different types of encryption and authentication. Preferred networks can be specified as well. Using these types of available tools and settings will help prevent man-in-the-middle attacks and unwanted associations. Our second point is basically that the airwaves need to be secured. There are many ways of doing this and all have their drawbacks. The following lists some security methods that can currently be employed:
==MAC ID filtering==
Most wireless access points contain some type of MAC ID filtering that allows the administrator to only permit access to computers that have wireless functionalities that contain certain MAC IDs. This can be helpful; however, IT personnel must remember that MAC IDs over a network can be faked. Hacking utilities such as SMAC are widely available, and some computer hardware also gives the option in the BIOS to select any desired MAC ID for its built in network capability.
==Static DHCP==
In combination with MAC ID filtering, using a Dynamic Host Configuration Protocol system that has pre-assigned addresses per MAC ID is a helpful way of keeping undesirables from making an easy connection to APs. Again, there are ways around this, but it does add another lock on your door.
==WEP encryption==
WEP stands for Wired Equivalency Privacy. This Encryption standard was the original encryption standard for wireless. As its name implies, this standard was intended to make wireless networks as secure as wired networks. Unfortunately, this never happened as flaws were quickly discovered and exploited. The freeware utility called WEPCrack can be used by hackers to break in by examining packets and looking for patterns in the encryption. WEP comes in different key sizes. The common key lengths are currently 128- and 256-bit. The longer the better as it will increase the difficulty for hackers. However, this type of encryption has seen its day come and go. This year a group from the FBI held a demonstration where they used publicly available tools to break a WEP encrypted network; and it only took three minutes! WEP protection is better than nothing and can even offer more security than the more sophisticated WPA-PSK encryption. The problem is that if a hacker gets a lock on your network, it is only a matter of time until the code is cracked.
==WPA==
WPA stands for Wi-Fi Protected Access. This was created to replace WEP and is a sub-set of the 802.11i security standard. This combines the dynamic key encryption of TKIP with the mutual authentication of 802.1x. WPA can be very effective; however, there can be serious drawbacks depending on how it is implemented. WPA was designed for use with a RADIUS server for independent authentication that is located inside the firewall. The version that was created for individuals and companies that did not have RADIUS servers is called WPA-PSK. The PSK stands for pre-shared key and was a good idea at the time. However, shortly after this method came out a couple of graduates from Georgia Tech developed a method of cracking it. If a hacker can find only four specific packets in the data stream using a packet analyzer such as Ethereal, a WPA-PSK encrypted network can easily be hacked. WPA with a RADIUS server is set up so that the server does the authentication by: a username and password, authentication through a certificate method, or authentication through another server. The best way to set up authentication is to tie the process into a domain log-on. This not only allows a familiar way of entry for employees but it also provides a method to tie-in the user security policies of the company computer network.
==WPA2==
This is the second generation of WPA. WPA2 provides both consumer Wi-Fi and enterprise Wi-Fi with a higher assurance that a network will be secure. This generation is based on the final 802.11i amendment. This is also eligible for FIPS 140.2 compliance. The 140.2 standard is a US and Canadian standard for certifying security for sensitive, but not classified information. Organizations that may require this standard for their information technology equipment would be banks and healthcare organizations.
==802.1X==
This is an IEEE standard for access of wireless and wired LANs. It provides for authentication and authorization of LAN nodes. This standard defines the Extensible Authentication Protocol (EAP) which uses a central authentication server. Unfortunately, during 2002 a Maryland professor discovered some shortcomings.
==LEAP==
This stands for the Lightweight Extensible Authentication Protocol. This protocol is based on 802.1X and helps minimize the original security flaws by using WEP and a sophisticated key management system. This also uses MAC address authentication. LEAP is not safe from hackers. THC-LeapCracker can be used to break Ciscos version of LEAP and be used against computers connected to an access point in the form of a dictionary attack.
==PEAP==
This stands for Protected Extensible Authentication Protocol. This protocol allows for a secure transport of data, passwords, and encryption keys without the need of a certificate server. This was developed by Cisco, Microsoft, and RSA Security.
==TKIP==
This stands for Temporal Key Integrity Protocol and the acronym is pronounced as tee-kip. This is part of the IEEE 802.11i standard. TKIP implements per-packet key mixing with a re-keying system. It also provides a message integrity check. These avoid the problems of WEP.
==RADIUS==
This stands for Remote Authentication Dial In User Service. This is a authentication, authorization and accounting protocol (AAA) used for remote network access. This service provides an excellent weapon against hackers. RADIUS was originally proprietary but was later published under ISOC documents RFC2138 and RFC2139. The idea is to have an inside server act as a gatekeeper through the use of verifying identities through a username and password that is already pre-determined by the user. A RADIUS server can also be configured to enforce user policies and restrictions as well as recording accounting information such as time connected for billing purposes. A high end enterprise RADIUS server example would be NavisRadius by Lucent Technologies. This particular product can be used by an internet service provider (ISP) for verification and time tracking for billing.
==Smart Cards, USB Tokens, & Software Tokens==
This is a very high form of security. When combined with some server software, the hardware or software card or token will use its internal identity code combined with a user entered PIN number to create a powerful algorithm that will very frequently generate a new encryption code. The server will be time synced to the card or token. This is a very secure way to conduct wireless transmissions. Companies in this area make USB tokens, software tokens, and smart cards. They even make hardware versions that double as an employee picture badge. Currently the safest security measures are the smart cards / USB tokens. However, these are expensive. The next safest methods are WPA2 or WPA with a RADIUS server. Any one of the three will provide a good base foundation for security. The third item on the list is to educate both employees and contractors on security risks and personal preventive measures. It is also ITs task to keep the company workers knowledge base up-to-date on any new dangers that they should be cautious about. If the employees are educated, there will be a much less chance that anyone will accidentally cause a breach in security by not locking down their lap-top or bring in a wide open home access point to extend their mobile range. Employees need to be made aware that company laptop security extends to outside of their site walls as well. This includes places such as coffee houses where workers can be the most vulnerable. The last item on the list deals with 24/7 active defense measures to ensure that the company network is secure and compliant. This can take the form of regularly looking at access point, server, and firewall logs to try and detect any unusual activity. For instance, if any large files went through an access point at 2AM today, it is time to seriously look into this incident. There are a number of software and hardware devices that can be used to supplement the usual logs and usual other safety measures.
=Steps in Securing Your Wireless Network=
Since we have established ways one can be Hacked, here are some ways to prevent this: :# Change the default SSID name Hackers know the default factory set names of the different brands of equipment. Change it to something that cant be easily guessed. Do not change it to a company or persons name or to any network equipments name that you use. :# Disable the SSID broadcast option SSID broadcast is set to on as default for most equipment. Disabling this option will make it harder for hackers to connect. :# Change the default password needed to access a wireless device Default passwords are set by the manufacturer and are known by hackers. By changing the password you can prevent hackers from going in and changing your network settings. :# Enable MAC address filtering This is a feature on some wireless access devices that will only allow access by devices containing certain MAC IDs. This is not a foolproof solution, however, it can slow down a hacker and add another hurtle in his/her way. :# Disable File and Print Sharing By disabling this on your laptop, this can further limit a hackers ability to steal data or commandeer resources. :# Segment the AP wired portion of your network on to a separate VLAN This allows you to separate this traffic and may lessen the access that a hacker gets to your LAN :# Routing protocols should be filtered to the APs This can eliminate network injection attacks. :# Wireless coverage area should be fit to the desired area The greater the excessive broadcasting is on the perimeter APs the greater the risk of attracting hackers. Directional antennas should be used, if possible, at the perimeter directing their broadcasting inward. Some APs offer attenuation levels to be set via their web-based setup utility.
=References=
|
|