With Wi-Fi networking continuing to grow, it is likely that a typical user will have access to numerous different wireless networks from his or her laptop. Often, a laptop user at his or her house or office location can find five or more Wi-Fi networks in range. With great availability and easy access, wireless networking reintroduces old security issues while introducing new security challenges. The security challenges for a Wi-Fi network can be broken down into the following categories:
- Outside Environment: The Wi-Fi networks that are not provided by a user or organization. For example, the Wi-Fi network of a person living in the apartment across the street that is reachable from anywhere inside the same building.
- Internal Environment: The security controls that are placed on one’s own wireless network and Wi-Fi users.
- Security Policy Issues: What is the policy on people setting up their own Wi-Fi networks? If it is not allowed, how is that enforced?
Convenient wireless technology is insidious at the same time. It allows for Internet on demand at any location. At the same time, it can be an invisible conduit that allows for traffic to bypass all of your physical security devices—such as firewalls or routers—and even the walls of your building! Unless you are using a Faraday cage, controlling wireless signals is difficult. Since humans tend to work together—in open floor plans—physical deterrents aren’t feasible. Understanding the physics behind WLANs will help you identify threats and minimize risks with tools available on the market today.
WLANs allow any client (e.g., a laptop equipped with a wireless card) to make a connection to any access point (AP) within range. That connection is a “conversation,” and it refers to the relationship between any access point and a client.
Each and every client equipped with a wireless card that is not connected to a wireless network is continuously sending out “probe request” packets. The packets are asking, “Is there an access point to be connected to?” Each of these probe packets also contain SSID information (network names) as well as the frequency—or channel on which it is seeking.
At the same time, access points are transmitting “beacons” to advertise their availabilities—and usually their network names. When a probe request from a client comes within the transmission perimeter of an access point, the access point offers a probe response, which accepts or rejects the request. If the request is rejected—no offer to “the associate” is made, and therefore, no “conversation” can take place. If accepted, the client is offered an “association request” to attach to the access point, which is identified by its network name. The first-time client and access point “meet,” and the user is asked to accept or reject this association request.
That said, once an association request is accepted, that network name is automatically added to the client’s profile list as a previously approved network. In the future, when the client is looking for an access point, it will be shouting out this list to any listening access points. If ANY access point network name matches one in the client profile, the client will accept the association request—without the user’s knowledge.
A Name: What Does It Truly Mean?
The obstacle to maintaining a list of pre-approved names is that network names tend to be fairly generic, or worse, the default names given by manufacturers. Once your client has attached to a client named Linksys or Default—it will be looking to join any wireless networks named Linksys or Default. This is an important concept. As administrators, we put security on our access points to keep unauthorized clients off our networks. But the converse is not available. If the client’s wireless card is active, the card is seeking connections—with or without the knowledge of the client—or the access point administrator.
The bad guys already know this. So hackers will attempt to create hotspots within your perimeter with one of these popular default names. (Open-source tools such as Karma make this easy to do.) Further, since monitoring a wireless conversation makes it easy to obtain all of the necessary, pertinent information, such as logical network name, SSID, and Mac address, it is easy for a hacker to set up a rogue access point “spoofing” a legitimate access point.
Risk Table
|
Type I Risks
Radio frequencies do not care about your company’s physical boundaries. Your signal may be transmitting into the parking lot, so a person in a car can actually attach to your network and, through the use of sniffers, can listen to conversations. The risks are nearly eliminated through the use of encryption such as WEP, LEAP, WPA, or VPNs.
Type II Risks
Contractors and employees may connect their own wireless base stations to your corporate network. This creates two bad scenarios. The first allows traffic to bypass your firewall and proxy servers—meaning information can be leaving your company without your knowledge.
In addition, the second scenario is that this base station will be leaking beyond your perimeter. Again, picture the person sitting in the car with the sniffer. This time, he or she may be capturing passwords of employees trying to access sensitive servers or pop mail who have deliberately or inadvertently connected to the wrong network.
The only way to thwart these two scenarios is by physically finding the devices. It has been suggested that if we know that a card transmits at 100 mw, and you are receiving a signal at 10 mw, we should be able to calculate the approximate positioning. This method, however, is extremely imprecise because signals are absorbed and reflected in a 360º area.
Actually, the only consistent means is to walk along the gradient, searching on all three bands (A, B, and G) and all possible channels in the A band as well as in the B/G band, recording signal strength. One tool, AP Finder, reports a signal strength of 100% when you are within three feet of the device.
Type III Risks
Since signals can leak out of your building, signals can leak in. This situation is particularly troubling because it is not feasible to find a hotspot that your employees (and consultants) may be deliberately or inadvertently attaching to—if it is in the building across the street.
It’s vital to understand that not all employees who may be attached to hotspots are doing so deliberately. Said differently, it is very possible for employees to attach themselves to unauthorized networks inadvertently. It stems from the fact that many people don’t change the generic names of their base stations preset from factories. If a client has connected once to an access point with a name like Linksys, Default, Netgear, et al., in the future, it will probe for access points with those names.
As mentioned earlier, it is now easy for hackers to simulate the access point of just about any wireless network. Firewalls and encryption offer little help in this situation. Organizations must use the necessary tools to identify rogue access points that are transmitting in your airspace—and block conversations between clients and access points. Organizations must categorize certain types of conversations between clients and access points based on the signal strength of each. Consider that signal strength becomes a clear indicator to determine proximity and likely behaviors.
The Answer: Managing Wireless Conversations
Wireless connections made between participants are conversations—which typically include clients and (usually) access points. Organizations should actively observe and monitor these conversations—and can identify the participants using their MAC addresses. By monitoring these conversations, organizations can properly categorize the types of conversations and take further action if necessary. Additionally, as rogue access points and intruding clients are identified, administrators can add these unauthorized devices to blocked lists. Managing wireless networks on a conversation basis allows us to improve both the usefulness and the security of our wireless infrastructures.
Conversation categorizations can be easily based on a process that looks at the power levels of both the client and the access points. Any conversation that is not explicitly allowed can automatically fall into one of four categories below. Everything that shows up in any of the four categories refers to any entity that was not explicitly allowed. Entries on an allowed list would never be categorized as any of these possible threats:
Categorizations
- Rogue: Unapproved access point in your building is being accessed by clients within your perimeter.
- Hotspot: Client in your building is accessing an access point believed to be outside your building.
- Outsider: Unapproved access point is most likely inside your building and being accessed by someone outside.
- Suspicious: Unapproved client and/or access point are most likely outside your building.
About the Author
Steven Branigan is president of CyanLine. A former New Jersey police officer, Steven brings more than 16 years of network security and computer forensics experience to CyanLine, managing large-scale security projects involving the forensic detection and delivery of digital information. Honored by the United States Secret Service and the New Jersey State Police for his work, Mr. Branigan testified before the 107th U.S. Congress on the state of cyber security. A respected industry author, Mr. Branigan published High-Tech Crimes Revealed in 2005, in addition to numerous other writings and presentations.
