Wireless Network Security Study
Page One - Introduction / Page Two - Extra defences / Page Three - Cambridge Area Audit Results

Introduction
With the advent of cheap and easy-to-use wireless networking products, the growth of wireless network deployment in recent months has been rapid. However, the ease of use, whilst a boon to rapid and painless deployment, is a double edged sword. Predictably, ease of use sacrifices security for the ability to just "plug in and go".

As a result, many wireless LANs (statistically, the majority) are being set up without even the most basic consideration being given to security.

Built-in security mechanisms
Just about every piece of wireless network kit in the 802.11b world provides a number of security mechanisms to be used to deter the bad guys.

  • First and foremost, WEP (Wired Equivalent Privacy), provides a measure of cryptographic protection to traffic over the air. It comes in two strengths, weak and less weak, with a key exchange mechanism ultimately authenticated by a high level shared key. Both are currently crackable, more of which later.
  • Most wireless LANs employ Access Points to gateway the wireless world into the wired world within an organisation. These Access Points are capable of deciding whether or not to allow certain wireless network cards to join the wireless LAN, based on the MAC (hardware) address of the card.
  • Every wireless LAN needs a name - it's so that in crowded airspace, clients can find their own network, not the one belonging to the company next door. But... the name's visible to all, whether or not you use WEP. The network name is likely to be the first thing that an attacker looks at to determine whether they want to concentrate further on an observed network.

Problems with built-in security mechanisms
Unfortunately, there is a problem in that WEP is broken, and can be cracked to reveal the high level shared key. However, that requires a large amount of encrypted data to be gathered by an attacker, using some sort of sniffer tool (AirSnort being one example). Depending on your circumstances, that might be hard for them to accomplish (i.e. your security guards might be suspicious of the white van with an antenna on top parked in the car park).

But, let's suppose someone can crack your WEP encryption. That's when the second layer of defence - MAC address access control on Access Points comes into play. Even if your WEP keys are known to an attacker, they should still be prevented from joining your wireless LAN due to access control performed by the AP - their MAC address(es) aren't in its list of permitted cards. That's not to say that a valid wireless client can't be knocked off the air, allowing your attackers to then spoof the (now free) valid MAC address. However, the hassle factor has just gone up a bit more for your attackers.

The issue of network names is a curious one, and not one that directly affects your security. However, as previously mentioned, an obfuscated name may deflect someone's interest in a network. Using the vendor default network name may, conversely, attract people to look at your network: in some cases, the fact that the vendor default name is used for the network is a clue that little has been changed on the Access Point since it was unpacked, potentially including standard vendor administration passwords.

Being realistic, then, we need to think about extra mechanisms to deploy, in addition to the built-in mechanisms that you get for free.

Next-->
(C)2002 Secure Systems Integration Ltd. info@secure-si.co.uk