Introduction
-
It shouldn't be so much of a surprise that 802.11b networks have taken off to the degree that they have. The combination of relatively high speed, low price, and ease of installation make them an "instant hit." There is a dark side to 802.11b though, in the latter half of 2002 WiFi security has become the conversation topic of choice at corporate IT water fountains and coffee machines. By now, just about everyone has heard of problems with WiFi security. At first it was a theoretical problem detected in a review by a team of UC Berkeley grad students. WiFi device manufacturers and the IEEE (who devised the original 802.11b security protocol called WEP) downplayed the vulnerability. No-one wanted to admit the awful truth: the 802.11b Wired Equivalent Privacy protocol was seriously and fundamentally flawed. But by this time it was too late; tens of thousands of 802.11b systems had already been shipped; an army of unix hackers pieced together tools to pierce the anemic security offered by WEP. Meanwhile, the academic community released a stream of additional weaknesses.
The IEEE and device manufacturers have announced updated security protocols that should not suffer from the same vulnerabilities, but consumers and corporate IT staffs will have to wait for devices based on new standards to be designed, tested, and shipped. Where does this leave the wireless community? We're not out of the woods with respect to security, but it could be worse. WPA (WiFi Protected Access) will be a definite improvement over WEP, but it will be several months before WPA enabled products are available in the channel. 802.11i is a distant solution promising improved security over WPA, but it is at least a year away. Most vendors and analysts believe that 802.11i will require new hardware. And both WPA and 802.11i based products will come with a WEP reverse-compatible mode that would most likely defeat any security improvements if it is used.
This document is intended for users of existing heterogeneous 802.11b networks. It is intended to be a concise list of steps you can take to limit the security risk of operating an 802.11b network. This checklist is not all-inclusive, and as always, some features listed here may not be practical (or even possible) with your network hardware. You mileage may vary, but this list is a good start for those home and corporate users interested in getting a good start towards securing their wireless network.
- Check with your vendor about security upgrades.
Some WiFi product vendors have included proprietary enhanced security features. A notable example of this is the Cisco Aironet 340 family which contains a number of security enhancements over WEP. The drawback is that in order to benefit from proprietary security enhancements, one must generally operate a homogeneous wireless network with hardware from only one vendor. For users that have not yet deployed a wireless network, this may be an option worth investigating.
Note that proprietary enhancements that only increase the length of the WEP key are mostly valueless. WEP has been shown to be "unsafe at any length." A 128 bit WEP key is only marginally more secure than a 64 or even 40 bit WEP key. Note that some proprietary enhancements are delivered along with longer keys. It is the unfortunate truth that the marketing departments of some of these vendors only mention the longer key length or mention it as the primary security enhancement. In cases such as this, simply ignore the WEP key length and evaluate the product based on other security features.
- Change your SSID / Turn off SSID Beacon PDUs
The SSID (Service Set ID) is used to identify a family of wireless clients to a wireless / wired gateway. Not surprisingly, most (if not all) wireless devices from the same manufacturer ship with the same default SSID. Knowing the SSID is the first step in "associating" a wireless client with a wireless access point. Since an attacker will have to know your SSID to complete the 802.11b protocol to start accessing your network, it's a good idea to make it difficult for an attacker to scan for or guess your SSID. Replace the default SSID in your wireless network with a difficult to guess (preferably random) string. Certain wireless access points can be configured to disable "beacon" broadcasts. In 802.11b terminology, a beacon is a type of packet that contains the SSID of a network. It is used to synchronize the clocks on client devices and to make it easy for new network clients to see what networks are available in multi-networked environments. If you have only one WiFi network that you're dealing with, you can probably live without the beacon. If it's easy to turn off beacon broadcasts, do so.
Sophisticated network attackers will be able to intercept all wireless traffic and sort through packets (even encrypted packets) to find your SSID, so you shouldn't think that just because you don't use the default that it's impossible for an adversary to guess it. Also, it should be noted that very sophisticated attackers don't even need the SSID to eavesdrop on wireless network transactions, so protecting your SSID is certainly not the be-all, end-all answer to WiFi security.
Changing your SSID is a very good beginning, however. At the very least, it will minimize the likelihood that your wireless clients will accidentally connect to your neighbor's network.
- Turn on MAC Address Access Control Lists
Some wireless access points allow network administrators to limit access to the network to a explicit list of network cards. This is usually done at the "MAC address level." The MAC, or Media Access Controller, is simply a fancy name for the wireless card. The MAC address is a 48 bit value that is (supposedly) unique for each network card on the planet. When a MAC Address ACL (Access Control List) is used, the access point will refuse to talk to any wireless card whose MAC Address is not on the list. If you frequently have friends or coworkers over who want to use your network, this feature may be more trouble than it's worth. Also, not all access points support MAC ACLs, but if you have one that does and you have a small number of machines that access your network, consider using this feature.
In the end, however, MAC Address ACLs do not provide ultimate security. The MAC Address is broadcast as part of the normal operation of a 802.11b network, and sophisticated attackers can easily snatch a valid MAC address out of the air, and many wireless cards have programmable MAC Addresses. It's therefore pretty easy for an attacker to listen to your network for a short while, listen for a valid MAC Address, then reprogram his wireless network card to use this valid MAC Address. However, If two machines try to use the same MAC address at the same time, the network may start acting erratically. So, if your network is acting erratically, it may mean you're under attack. Sophisticated adversaries who have the skill to intercept your MAC addresses will probably know that using a MAC address they've sniffed off your network will clue you in to the fact that they're there, so in general, MAC Address sniffing adversaries will wait until they see the machine whose MAC Address they've sniffed disassociate from the network before trying to use it.
Another reason to use MAC Address ACLs is that it is virtually impossible to "accidentally" steal someone else's MAC Address. If an attacker breaks into your network and you are able somehow to learn who the attacker is. It would be difficult for the attacker to claim that he was doing anything other than trying to break into your network if it can be shown that he (or she) sniffed a MAC Address, waited for it to disassociate from the network, then reprogrammed his/her network card to use the sniffed MAC Address.
- Activate WEP
Despite the fact that WEP provides virtually no protection from a determined and reasonably sophisticated adversary, it may protect from casual war drivers. In many cases, network attackers are simply looking for free bandwidth. If there are two networks available to such an adversary: your WEP protected network and a second unprotected network, chances are they won't go to the trouble of cracking your WEP keys just to get free bandwidth.
On the other hand, if your network houses sensitive information (super-secret marketing plans, technical diagrams of next year's hot electronic toy, etc.) you should not trust in WEP alone. Reasonably sophisticated adversaries who know (or just suspect) your network contains valuable resources will not thwarted by WEP.
- Don't use DHCP or use DHCP only with authorized MAC addresses
Once an attacker associates with the network, the next step is to establish an IP address. It is probably best to use fixed IP addresses, and not to use DHCP. However, DHCP is becoming indispensable and many network administrators will refuse to part with it's benefits. That's probably okay if it is possible to limit DHCP leases to machines that have associated from an authorized MAC Address.
- Use a Static ARP table
ARP (Address Resolution Protocol) is the part of the TCP/IP family of protocols that binds MAC Addresses (48 bit unique IDs) with IP Addresses (the more familiar w.x.y.z form addresses.) A type of attack called ARP Cache Poisoning can allow an adversary to intercept just about any transmission on the network. Using a static ARP Cache can prevent this attack, but your access point will have to have explicit support for static ARP tables. Using a static ARP Cache with Static IP addresses simplifies administration somewhat, so don't be surprised if it is difficult to get DHCP to work on wireless access points that allow for static ARP tables.
- Put your Wireless Access Point outside your firewall
One would think that with all the publicized vulnerabilities of 802.11b networks and all the trade press coverage of Wardriving and Warchalking that no-one would put a wireless access point inside a corporate firewall. Well... there are still several people that don't know that this is a no-no, so if you see someone doing this, you should point him or her to this checklist.
The problem with putting your access point on the inside of your firewall is that heterogeneous 802.11b network security mechanisms are insufficient to defend against even moderately sophisticated adversaries. If you put an 802.11b network on the inside of your firewall, it will be simply a matter of time before someone breaks in.
The standard technique is to put wireless access points on the outside of the firewall and use a VPN (Virtual Private Network) to tunnel through the firewall. VPN software provides cryptographic privacy protections and strong authentication to defend against spoofing, replay, and eavesdropping attacks.
- Distribute personal firewall software to your wireless clients
Placing your wireless network outside your firewall defends your corporate network, but not your wireless clients. It is still possible that clients on a wireless network can be attacked. If an attack is successful against a legitimate wireless client, a sophisticated adversary could use that legitimate client as the starting point for an attack against the sensitive systems inside your firewall.
It is generally a good idea then to provide "personal firewalls" for wireless client machines. Several products from Network Associates and Symantec can "harden" your typical Windows or Macintosh client. Linux or other Unix clients have a plethora of firewall choices to select from.