Wireless security: Placing it to work (Part 1)

Last year, a small, worldwide group of security professionals openly entered over 88,000 companies and connected to LANs, often at administrator level.

They were free to copy, amend or delete files, to attack other systems, store illegal images, set up keystroke logging systems or introduce trojans for convenient later access. No one stopped them.
No one challenged strangers wandering at will around private networks. In fact, although access could have been as damaging as described, the entries were by wireless and the aim was not to cause damage but to highlight the issue of unsecured wireless networks.

According to Gartner, wireless hot-spot users will more than triple from an estimated 9.3 million in 2003 to over 30m in 2004. Wireless capability is becoming hugely popular. It is cheap and easy to set up and delivers real business benefits. “In fact, wi-fi is not any less secure than many other technologies, as long as you mange it properly– approach it with caution, treat it with respect and there’s benefit to be gained,” suggests by Martin Grey, UK train operator Great North Eastern Railway’s (GNER) IS architecture manger. As with all security, it is essential to consider wireless in terms of risk and benefit.

Eliminating all vulnerabilities is impossible and the aim must be to identify risks and duly manage them appropriately, balancing cost and inconvenience against the probability of loss and its consequences.

Taking control

“It’s about getting control over the technology”, says Antony Carrier, senior network architect at UK-based TNT Express. “Despite the scare stories around, it’s here, it’s going to stay and you can’t get away from the benefits it brings.” Security management is actually a business issue and not a technology one. Technology is a component, certainly, but by itself it cannot solve wireless or other security problems. Applying technology without proper thought and analysis can often make matters worse.

“What we’re doing is incorporating wireless into the overall security policies and procedures. You can’t treat it as a separate entity, it must be part of one security policy,” says Grey.

Wi-Fi insecurity

Unsecured wi-fi allows anyone to enter a network remotely at the level ordinarily given to someone sitting at a terminal. And if wireless traffic is accessible to a third party then all sorts of other interesting attacks become possible.

An attacker can regularly monitor data, launch jamming attacks to disrupt the network, generally deny service, impersonate users irrespective of SSL, Kerberos or other authentication mechanisms.

He can by pass the perimeter defenses to transfer viruses and other malware, and leisurely infiltrate deeper and deeper into the network. “Wireless equipment is designed to be very easy to deploy”, says Grey, “but straight out of the box it’s inherently insecure. However, there are some simple things to be done which will take only a few minutes but will at least give some protection.”

Protective measures

Wireless Access Points (WAPs) are typically supplied with default Service Set IDs (SSIDs) and set to broadcast. Settings should be changed and new passwords entered. If it is possible to change the IP address from the common default standard this should also be done. In any case, wi-fi networks should be considered untrusted and separated appro-priately from a wired LAN, so putting further barriers in the way of an intruder.

Gavin Griffin, business systems manager at McDonald’s Europe, says: “It’s key for me to have separate subnets for wireless access because I can shut down the whole subnet if necessary without having to close off maybe the whole network service.”

Grey agrees: “Yes, absolutely, we treat wireless local ares networks as untrusted.” Enabling peer-to-peer wireless communication seem s attractive but carries the risk of allowing rogue users in on the back of a legitimate wireless client and so should normally be turned off.

It is also sensible to turn on Media Access Control(MAC) address filtering in the wireless router. However, be aware that as it is still possible to capture wireless packets, legitimate MAC addresses can be read and attackers can spoof their own broadcasts and make their systems appear legitimate. Wired Equivalent Privacy ( WEP), the common encryption standard, is flawed and can be cracked  relatively easily provided enough data can be captured.

Still, it is better than nothing, particularly in deterring opportunistic attackers and can be much improved if the associated encryption key is changed regularly so making the capture of sufficient data more difficult.

WEP comes in 40-, 64- and 128- bit key strengths. Encryption typically fails on account of its implementation or key management and with WEP the protection provided by using 128- bit is less than it might seem and may result in an unacceptable performance hit for relatively little benefit.

Wireless Protected Access ( WPA) is WEP’s interim replacement and one step nearer 802.11i, the greatly enhanced security standard due in the previous year.

WPA, available since April 2003 in various forms, is far better than WEP and also reduces reliance on single-vendor software and consequent possible lock-in. Some devices can be flash-upgraded, some will need to be replaced but it is worth implementing WPA for new networks using the faster 802.11g standard though probably not for existing 802.11b networks. In a mixed WPA/WEP environment, WPA will fall back to WEP levels for compatibility.