Print

Seven Security Problems of 802.11 Wireless

by Matthew Gast, author of 802.11 Wireless Networks: The Definitive Guide
05/24/2002

Before you uncrate one piece of network equipment for a mass deployment, you need to have the right design in place. Good network design is often the difference between a successful rollout and a torrent of user complaints.

Many organizations are now considering deployment of wireless LANs and are working on the basic network designs before going to pilot projects. As always, network security is a concern. The problems with security on 802.11 networks have been widely reported elsewhere. Network architects are now faced with the challenge of designing secure networks in light of the known problems. This article will discuss seven of the most pressing wireless LAN security problems and potential designs that can mitigate the risk associated with each of them.

Problem #1: Easy Access

Wireless LANs are easy to find. Strictly speaking, this is not a security threat. All wireless networks need to announce their existence so potential clients can link up and use the services provided by the network. 802.11 requires that networks periodically announce their existence to the world with special frames called Beacons.

However, the information needed to join a network is also the information needed to launch an attack on a network. Beacon frames are not processed by any privacy functions, which means that your 802.11 network and its parameters are available for anybody with an 802.11 card. "War drivers" have used high-gain antennas and software to log the appearance of Beacon frames and associate them with a geographic location using GPS.

Short of moving into heavily-shielded office space that does not allow RF signals to escape, there is no solution for this problem. The best you can do is to mitigate the risk by using strong access control and encryption solutions to prevent a wireless network from being used as an easy entry point into the network. Deploy access points outside firewalls, and protect sensitive traffic with VPNs.

Problem #2: "Rogue" Access Points

Easy access to wireless LANs is coupled with easy deployment. When combined, these two characteristics can cause headaches for network administrators. Any user can run to a nearby computer store, purchase an access point, and connect it to the corporate network without authorization. Many access points are now priced well within the signing authority of even the most junior managers. Departments may also be able to roll out their own wireless LANs without authorization from the powers that be.

"Rogue" access points deployed by end users pose great security risks. End users are not security experts, and may not be aware of the risks posed by wireless LANs. Most existing small deployments mapped by war drivers do not enable the security features on products, and many access points have had only minimal changes made to the default settings. It is hard to believe that end users within a large corporation will do much better.

Related Reading

802.11 Wireless Networks: The Definitive Guide
Creating and Administering Wireless Networks
By Matthew Gast

Unfortunately, no good solution exists to this concern. Tools like NetStumbler allow network administrators to wander their building looking for unauthorized access points, but it is expensive to devote time to wandering the building looking for new access points.

Monitoring tools will also pick up other access points in the area, which may be a concern if you are sharing a building or a floor with another organization. Their access points may cover part of your floor space, but their access points do not directly compromise your network and are not cause for alarm. The periodic "walk-through" of your campus is the only way to address the threat of unauthorized deployment. At least network analyzers are moving to a handheld form, so you won't have to carry as much.

Problem #3: Unauthorized Use of Service

Several war drivers have published results indicating that a clear majority of access points are put in service with only minimal modifications to their default configuration. Nearly all of the access points running with default configurations have not activated WEP (Wired Equivalent Privacy) or have a default key used by all the vendor's products out of the box. Without WEP, network access is usually there for the taking.

Two problems can result from such open access. In addition to bandwidth charges for unauthorized use, legal problems may result. Unauthorized users may not necessarily obey your service provider's terms of service, and it may take only one spammer to cause your ISP to revoke your connectivity.

Whether unauthorized use is a problem depends on the objectives of the service. For corporate users extending wired networks, access to wireless networks must be as tightly controlled as for the existing wired network. Strong authentication is a must before access is granted to the network.

If you have deployed a VPN to protect the network from wireless clients, it probably has strong authentication capabilities already built-in. Administrators can also choose to use 802.1x to protect the network from unauthorized users at the logical point of attachment. 802.1x also allows administrators to select an authentication method based on Transport Layer Security (TLS), which can be used to ensure that users attach only to authorized access points.

Not all networks, however, need to deploy ironclad user authentication. Theft of service was a major concern for connectivity providers in "hot spots" such as hotels and airports. After all, the business model was to charge for network access, so preventing unauthorized access was a business requirement. In the wake of the spectacular failure of some of the former big-name players like MobileStar, the hot-spot connectivity industry is experimenting with new business models.

Newer players in the market have based the business model on the idea that free wireless network access is an amenity that might draw guests and convention business. In this newer business model, user authentication is necessary only to ensure accountability. Authentication using a Web browser is a perfectly acceptable solution because it allows sessions to be identified and does not require specialized client software or a certain model of 802.11 network interface.

Problem #4: Service and Performance Constraints

Wireless LANs have limited transmission capacity. Networks based on 802.11b have a bit rate of 11 Mbps, and networks based on the newer 802.11a technology have bit rates up to 54 Mbps. This capacity is shared between all the users associated with an access point. Due to MAC-layer overhead, the actual effective throughput tops out at roughly half of the nominal bit rate. It is not hard to imagine how local area applications might overwhelm such limited capacity, or how an attacker might launch a denial of service attack on the limited resources.

Radio capacity can be overwhelmed in several ways. It can be swamped by traffic coming in from the wired network at a rate greater than the radio channel can handle. If an attacker were to launch a ping flood from a Fast Ethernet segment, it could easily overwhelm the capacity of an access point. Depending on the deployment scenario, it might even be possible to overwhelm several access points by using a broadcast address as the destination of the ping flood.

Attackers could also inject traffic into the radio network without being attached to a wireless access point. The 802.11 MAC is designed to allow multiple networks to share the same space and radio channel. Attackers wishing to take out the wireless network could send their own traffic on the same radio channel, and the target network would accommodate the new traffic as best it could using the CSMA/CA mechanisms in the standard.

Large traffic loads need not be maliciously generated, either, as any network engineer can tell you. Large file transfers or complex client/server systems may transfer large amounts of data over the network to assist users with their jobs. If enough users start pulling vast tracts of data through the same access point, network access may resemble sucking molasses through a straw north of the Arctic Circle in January.

Addressing performance problems starts with monitoring and discovering them. Many access points will report statistics via SNMP, but not with the level of detail required to make sense of end-user performance complaints. Wireless network analyzers can report on the signal quality and network health at a single location, but tools designed for wireless network administrators are only beginning to emerge.

The initial commercial wireless analyzer offerings were straightforward ports of their wired cousins; new products such as AirMagnet's handheld analyzer look like extremely promising additions to the wireless network engineer's toolkit. No enterprise-class wireless network management system has yet emerged. Some performance complaints could be addressed by deploying a traffic shaper at the point at which a wireless LAN connects to your network backbone. While this will not defend against denial of service attacks, it may help prevent heavy users from monopolizing the radio resources in an area.

Pages: 1, 2

Next Pagearrow