Networks Without A Safety NetNetworks Without A Safety Net
Wireless LANs present security challenges for businesses.
June 21, 2002
It was a typical windy Midwestern spring day when a security analyst at a major food-processing plant discovered that, despite the millions of dollars the company had spent on IT security, its network had some serious security gaps. The previous evening, he'd read an amusing story on a security-related Internet newsgroup about how a wireless-ready notebook, armed with an empty can of Pringles chips, can be used to help detect wireless LAN connections. On a lark, he rigged a wireless notebook with a Pringles can of his own and took a stroll down a hallway at headquarters. The revelation was alarming: Despite a company policy against wireless connections, several had crept onto the network. The rigged contraption led the security analyst to the office of the company's director of marketing. He knocked on the office door. "How much have they cut the IT budget?" the marketing director quipped, looking at the red can dangling from the notebook.
"Very funny. You have a wireless connection here?" Silence. Then, "Yeah." Sure enough, between the director's desk and a filing cabinet was a wireless access point. Not only was it not approved by the IT department, it was a major security risk. The system included a notebook outfitted with a wireless card and an unencrypted connection to the network--a connection anyone with a wireless notebook and some free, easy-to-find hacker software could snoop just by sitting in the parking lot a few hundreds yards away. Rogue wireless LANs without ample security are a common problem at many companies. "This is happening all over the world,'' says Pete Lindstrom, director of security strategies for Hurwitz Group. "Wireless LANs are growing organically. And employees who know there's a corporate policy against wireless LANs would rather take their chances begging for forgiveness than being told no when asking for one." The Pringles-toting security analyst, who asked that neither he nor his company be identified, managed within a few weeks to eliminate all the wireless LAN connections to the network. "We don't want to stop wireless LANs, but we're looking at various ways we can make the technology secure," he says. It doesn't cost much for an employee to add a rogue wireless LAN access point. But the fallout from an unprotected wireless LAN can be serious. "A tiny amount of money and a little initiative can jeopardize everything companies spend on firewalls, access control, and other security software," says Dave Brady, director of network services at ADC Telecommunications Inc., a Minneapolis provider of telecom equipment. So far, Brady says, he hasn't found any unauthorized wireless LAN connections on ADC's network. The threats to unprotected wireless connections are similar to threats that wired networks began facing a few years ago. Hackers use "war dialing" to find vulnerable systems by calling blocks of numbers until they find a modem ready to answer at the other end. If the hacker is really lucky, the answering modem will be attached to a networked computer configured to automatically answer calls, so, for example, the employee who uses that computer can retrieve files from home over the weekend. Once on that system, a hacker can access everything available to that employee, and, given a little time, maybe much more. War-dialing threats continue, and have morphed into what's known as "war driving" on wireless LANs. Armed with a notebook computer, a couple of hundred bucks worth of wireless gear, and some free applications downloaded from the Internet, attackers can drive past almost any large office complex and locate multiple wireless connections. Many war drivers do little more than grab a free wireless Internet connection and surf the Net. Commonly available software that helps hackers decode wireless LANs running encryption include AirSnort and WEPCrack; programs such as NetStumbler help attackers stake out business networks for later attacks. It's next to impossible to eliminate wayward hackers who are constantly searching for new ways to attack. But wireless LANs are especially inviting because, to date, the built-in security available to them is substandard. For instance, the default configuration in most wireless LAN networking equipment has Wired Equivalent Privacy encryption turned off. WEP is a wireless security protocol managed by the Institute of Electrical and Electronics Engineers 802.11 Working Group, which is developing new encryption standards, known as WEP2, for 802.11i wireless networks. If current implementations of WEP wireless networks aren't activated, data, including passwords, is sent as unencrypted, in-the-clear text. Even if WEP is activated, hackers can obtain the encryption keys the protocol uses to scramble and unscramble data by capturing the data flows on a wireless LAN--a process that can take as little as 15 minutes. Other security features built into wireless LANs include nothing more than the most rudimentary access-control and user-authentication mechanisms that attackers can easily trick into thinking they're legitimate users. Because of WEP's poor security, a wireless network without additional security mechanisms leaves the door open for a hacker to do all the nefarious things known to plague wired LANs and Internet servers: exploit software and operating-system vulnerabilities, plant a back door or other eavesdropping software into the network, or deface Web pages. Bob Moskowitz, senior technical director at security services provider TruSecure Corp. and a member of the IEEE 802.11i Working Group, says security ambiguities around wireless LANs "have certainly slowed adoption in corporations." The IEEE 802.11i Working Group is trying to improve WEP's security, particularly in how it handles key generation for coding data that's in transit. In addition, the group is considering other improvements designed to protect wireless networks against common attack methods, including Initialization Vector collision and replay attacks and forged packets, Moskowitz says. The current encryption in WEP, RC4, may be replaced by Advanced Encryption Standard, which should provide better encryption, Moskowitz says. In recent weeks, some much-needed security tools designed to help administrators protect wireless LANs have hit the market. In early June, AirDefense Inc. launched its AirDefense WLAN security appliance that watches for rogue access points and also provides intrusion detection. AirDefense CEO Jay Chaudhry says the new security appliance can sniff out wireless hackers by using signatures--which spot known ways wireless weaknesses are exploited--and can spot software such as AirSnort that hackers use to break into wireless systems. It also helps IT managers locate rogue access points by checking any device it finds against a list of authorized devices. ADC's Brady says AirDefense combines the properties of a sniffer and an intrusion-detection system in an easy-to-install appliance. But because AirDefense requires that numerous wireless monitors be deployed throughout a company's campus to detect rogue access points, the security system can get expensive. "You need these devices spread far and wide, and that has cost concerns, especially if you have dozens of remote locations," Brady says. Earlier this year, Funk Software Inc. and Network Instruments LLC each launched wireless LAN security gear. Network Instruments' Observer network protocol-analysis product supports wireless networks, so customers can spot rogue users and access points. The Observer product can report wireless systems that aren't using WEP properly, the company says. Funk's new Odyssey software is based on the Internet Engineering Task Force standard for granting authentication and authorization privileges for remote users, VP Joseph Ryan says. Odyssey supports two security mechanisms: EAP-TLS, which is the protocol within Windows XP that requires users to provide a certificate when accessing the network, and EAP-TTLS, which authenticates users' identities via passwords and user names. "Wireless security can't be so difficult that it creates another wireless-management mess," says Michael Franklin, network manager for Colby Sawyer College in New London, N.H. Franklin is testing Odyssey on the campus wireless LAN, which consists of five access points. Managed-security services provider Netsec Inc. says it's testing what it calls a Wireless Intrusion Detection service. By fall, Netsec says it will be able to continuously monitor its customers' wireless networks for rogue and unauthorized wireless connection attempts. Check Point Software Technologies Inc. last week unveiled an Open Platform for Security initiative. The company says the program will let Check Point-tested and-certified wireless devices interoperate with its popular VPN-1/Firewall-1 security software. Vendors planning to participate include HP, Intel, IBM, Microsoft, Nokia, and wireless gear maker Proxim. In addition to using add-on products that can bolster wireless LAN security, many experts say IT departments need to develop and enforce well-thought-out security procedures that apply to both wired and wireless environments. "Get back to the basics and think," advises Richard Forno, author of Incident Response (O'Reilly, 2001). "Where do you want wireless? What's your value weighed against the potential risks? Do you really need wireless? If so, then you need to be sure to plan, deploy, and administer it in a secure fashion." Businesses shouldn't use omnidirectional wireless transmitters, which send signals in all directions, Forno says. User-and system-level authentication, implemented within both the server and network architectures, are must-haves. "The problem isn't drive-by hackings," Forno says. "The problem is one we create ourselves by rushing to deploy (and subsequently administer) things in a haphazard manner." It may also be a problem of awareness. David Johnson, IT director for Kyanite Mining Corp. in Dillwyn, Va., says the kyanite and mullite manufacturing company is considering deploying wireless LANs. Johnson says he's comfortable that Kyanite could find a secure way to deploy such systems, adding, "We'll cross that bridge when we come to it, in good time."
About the Author(s)
You May Also Like