Wireless threats come in all shapes and sizes, from someone attaching to your WAP (Wireless access point) without authorization, to grabbing packets out of the air and decoding them via a packet sniffer. Many wireless users have no idea what kinds of danger they face merely by attaching a WAP to their wired network. This section discusses the most common threats faced by adding a wireless component to your network.
The airborne nature of WLAN transmission opens your network to intruders and attacks that can come from any direction. WLAN traffic travels over radio waves that the walls of a building cannot completely constrain. Although employees might enjoy working on their laptops from a grassy spot outside the building, intruders and would-be hackers can potentially access the network from the parking lot or across the street using the Pringles can antenna, as shown in Figure 8-2.
Sniffing to Eavesdrop
Because wireless communication is broadcast over radio waves, eavesdroppers who merely listen to the wireless transmissions can easily pick up unencrypted messages. Unlike wire-based LANs, the wireless LAN user is not restricted to the physical area of a company or to a single access pointthe exception being those annoying areas that are not covered by the access, and it's always the office with a user who wants attention. The range of a wireless LAN can extend far outside the physical boundaries of the office or building, thereby permitting unauthorized users access from a public location like a parking lot or adjacent office suite. An attacker targeting an unprotected WAP needs only to be in the vicinity of the target and no longer requires specialized skills to break into a network. Anytime I do a network assessment for a customer in a shared office building, I almost always find one of two things:
A neighboring business that has an open wireless network
A neighboring user that has joined my customer's wireless network
If you want to examine the traffic going out over an Ethernet connection (wired or wireless), the best tool that comes to mind is the ubiquitous packet sniffer application. Packet sniffers allow the capture of all the packets going out over a single or multiple Ethernet connections for later inspection. These sniffer applications grab the packet, analyze it, and reveal the data payload contained within. The theft of an authorized user's identity poses one the greatest threats, and Figure 8-5 shows a freeware packet sniffer known as Ethereal, which is used on an Apple PowerBook G4 Laptop over a wireless Ethernet network to capture a mail application transmitting a username and password. (Names and passwords have been changed to protect the innocent, of course.)
Figure 8-5 Wireless Sniffer Packet Capture
The intent here is to show you how packet sniffers can be used against known behavior. In this case, when users start their computers, one of the first things they do is check e-mail. Most e-mail servers do not require any sort of encryption and, because the wireless network is not transmitting anything encrypted, the data is sent in clear text. An attacker with a packet sniffer could now steal the user identity and log in to the mail server as the unaware user anytime.
If you have read through packet captures before and are familiar with the information they contain, you should have immediately recoiled in horror at the knowledge that wireless networks are sniffers readily available and several are free. If this is the first time you have seen a packet capture, you might be in for a shock as you find out the wealth of information contained in a packet's data payload. Imagine if you were a domain administrator logging in to the domain and checking your online bank account or other information that could be critically damaging if someone hijacked it.
Denial of Service Attacks
Potential attackers who cannot gain access to your Wireless LAN can nonetheless pose security threats by jamming or flooding your wireless network with static noise that causes wireless signals to collide and produce CRC errors. These denial of service (DoS) attacks effectively shut down or severely slow down the wireless network in a similar way that DoS attacks affect wired networks. This vulnerability is apparent, and being on a wired network does not reduce your vulnerability to viruses, attacks, or in any other way increase security; in fact, it will quite likely get worse.
Restaurants, hotels, business centers, apartment complexes, and individuals often provide wireless access with little or no protection. In these situations, it is possible to access other computers connected to a wireless LAN, thereby creating the potential for unauthorized information disclosure, resource hijacking, and the introduction of backdoors to those systems. When users take corporate laptops home and use them on wireless networks, the vulnerabilities to your network increase. I have been on network assessments reviewing wireless usage and found that many a CEO, CFO, or CTO has the IT staff set up a wireless device at home for them with the same characteristics they have at work (SSID, and so on). This makes it easy for them to work at home with no trouble; however, the corporate network is extremely vulnerable because an attacker can go after a corporate employee's home network and compromise his machine. When the employee goes to work, so does the attacker now he is inside your corporate network. Common sense is needed herand a commitment by everyone in the management team to secure the network. This means not mixing corporate and home security.
Perhaps a bit more common is when other wireless devices unintentionally cause a denial of service to your wireless data networkfor example, that new cordless phone running on 2.4 Ghz, or placement of access points near devices that generate interference and affect their operation, such as microwaves. Not all reduction in wireless connectivity is related to attackers, so remember that wireless networks are based on radio signals, and many things (walls, weather, and wickedness) can affect them.
Rogue/Unauthorized Access Points
WAPs can be easily deployed by anyone with access to a network connection, anywhere within a corporation or business. In fact, most wireless deployments are in the home so people with laptops can use them in any room in the house. The ease with which wireless technologies can be deployed should be a concern to all network administrators.
Because a simple WLAN can easily be installed by attaching a WAP (often for less than $100) to a wired network and a $50 WLAN card to a laptop, employees are deploying unauthorized WLANs while IT departments are slow to adopt the new technology. Unauthorized WAPS are known more commonly as Rogue APs.
An executive of a large technology conglomerate was recently quoted as saying something like, "the hardest network to secure against wireless threats was one that had no wireless access at all" (or something very similar). What this executive meant was that, just because a company did not buy and install any wireless gear on their network did not mean that there wasn't any.
The concept behind wireless technology is to give people the freedom to roam around and still be connected to their network resources. The lure of this freedom is just too tempting to some folks in corporate America, so they go out and buy wireless gear on their own and hook it up to the office network. Now, you begin to see the problem.
In August 2001, Gartner Group reported that "at least 20 percent of enterprises already have rogue WLANs attached to their corporate networks" from authorized network users. Thus, risk-adverse organizations that consciously decide to delay WLAN deployment because of the security risks need to monitor their airspace to ensure that rogue WLANs do not inadvertently open a door for intruders. Stepping into the roll of the extremely paranoid, an attacker could be part of the cleaning crew in the evening and place a rogue access point into your network very easily.
If you can imagine how difficult it is to prevent people from bringing software from home and installing it on their work machines, it is ten times more difficult to prevent power users from "self adopting" wireless gear into the office LAN.
You might ask, "What is the harm in doing this?" The harm is that by installing an unauthorized access point, you have now extended an invitation to every hacker within a 500-foot radius to prowl your company's network, files, Internet access, printers, and any other devices currently connected to the private network.
Your network administrators take great pains to protect the corporate network from attackers and other "evildoers," and now there is a completely unprotected conduit into the company's holiest of holies: your internal corporate network.
A well-documented company has several security policies in place that govern every type of behavior when a user connects to the network. Rogue access points subvert these policies and open the doors to all varieties of bad things happening to the network.
To be perfectly fair to the employees who might commit this ultimate sin, it is important that the following information be made abundantly clear:
Only authorized IT staff is to connect networking equipment.
All devices that connect to the network, especially wireless access points, must conform to established security policies.
Any devices that have been installed by anyone other than approved IT staff will become either the property of the company or will be rendered inert (that is, smashed into a million pieces).
Hackers install rogue access points on a company network with the intention of stealing secrets and damaging data; this means no holiday bonuses because this kind of damage can cause a company to go out of business.
Finding rogue access points has become a little easier than in the past through the use of freely available software; the section entitled, "NetStumbler" delves into this. This same piece of software that made life easier for hackers has now become the favored tool of network security specialists for dealing with unauthorized wireless access points.
Attackers' Rogue AP Deployment Guidelines
I was going to call these "the rules for attackers to deploy rogue access points," but applying rules to those with criminal intent seemed an oxymoron. Attackers have developed some best practices that they have shared in their community and, by now, all honest network engineers are going to make WarDriving a frequent occurrence to protect your network. Following is a brief list of what you can do to prevent attackers from "casing the joint":
Know what you are trying to gain before placing the access point.
Plan for the use of the access point; this means place so that if you have your laptop out and "working," you do not look suspicious.
Place the access point as discretely as possible while maximizing your ability to connect to it.
Disable SSID Broadcasting, thus requiring the target's IT staff to have a wireless sniffer to detect it.
Disable all network management features of the access point, such as SNMP, HTTP, Telnet.
If possible, protect the access point's MAC address from appearing in ARP tables.
The obvious disclaimer here is that these actions are not something you should ever do withoutand I really stress thiswritten permission. Many companies view even the accidental connection to their wireless network as an attack, so it is likely that you are going to be viewed as guilty until you prove your innocence.
It is also important to note that devices designed to jam radio signals have been around since before wireless ever became a standard. Because wireless is a radio frequency, it can be easily jammed.
Incorrectly Configured Access Points
Incorrectly configured access points are an avoidable but significant hole in WLAN security. Many access points are initially configured to openly broadcast SSIDs to authorized users. Many honest network administrators have incorrectly used SSIDs as passwords to verify authorized users. However, because the SSID is being broadcasted, this a large configuration error that allows intruders to easily steal an SSID and have the AP assume they are allowed to connect.
SSIDs act as crude passwords and are often used to recognize authorized wireless devices; thus, SSIDs should follow your corporate password policy and be treated as passwords. If you do not have a password policy, refer to Chapter 2, "Security Policies and Responses," and ensure the SSID cannot identify your company or business.
Authorized users can also threaten the integrity of the network with abuses that drain connection speeds, consume bandwidth, and hinder a WLAN's overall performance. A few users who clog the network by trading MP3 files can affect the productivity of everyone on the wireless network. This ultimately leads to users who are trying to be productive complaining that the network is slow or that they keep losing connection. Based on experience, these types of issues are extremely difficult to identify and narrow down, especially if businesses decided to save money by using APs designed for home use rather than those designed for corporate use. Home-use APs do not come with the tools needed to help you.
Careless and deceitful actions by both loyal and disgruntled employees also present security risks and performance issues to wireless networks with unauthorized access points, improper security measures, and network abuses. Again, this recognizes the fact that the majority of security breeches and incidents come from inside, trusted individuals.