Summary of Exam Objectives

Wireless LANs are attractive to many companies and home users because of the increased productivity that results from the convenience and flexibility of being able to connect to the network without the use of wires. WLANs are especially attractive when they can reduce the costs of having to install cabling to support users on the network. For these and other reasons, WLANs have become very popular in the past few years. However, WLAN technology has often been implemented poorly and without giving due consideration to the security of the network. For the most part, these poor implementations result from a lack of understanding of the nature of wireless networks and the measures that can be taken to secure them.

WLANs are inherently insecure due to their very nature—the fact that they radiate radio signals containing network traffic that can be viewed and potentially compromised by anyone within range of the signal. With the proper antennas, the range of WLANs is much greater than is commonly assumed. Many administrators wrongly believe that their networks are secure because the interference created by walls and other physical obstructions combined with the relative low power of wireless devices will contain the wireless signal sufficiently. Often, this is not the case.

You can deploy a number of types of wireless networks. These include 802.11b and 802.11a networks as well as several other types not discussed here. The most common type of WLAN in use today is based on the IEEE 802.11b standard.

The 802.11b standard defines the operation of WLANs in the 2.4 GHz to 2.4835 GHz unlicensed Industrial, Scientific, and Medical (ISM) band. 802.11b devices use direct sequence spread-spectrum (DSSS) to achieve transmission rates of up to 11 Mbps. All 802.11b devices are half-duplex devices, which means that a device cannot send and receive at the same time. In this, they are like hubs and therefore require mechanisms for contending with collisions when multiple stations are transmitting at the same time. To contend with collisions, wireless networks use Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA).

The 802.11a and forthcoming 802.11g standards define the operation of wireless networks with higher transmission rates. 802.11a devices are not compatible with 802.11b because they use frequencies in the 5 GHz band. Furthermore, unlike 802.11b networks, they do not use DSSS. 802.11g uses the same ISM frequencies as 802.11b and is backward compatible with 802.11b devices.

The 802.11 standard defines the 40-bit Wired Equivalent Privacy (WEP) protocol as an optional component to protect wireless networks from eavesdropping. WEP is implemented in the MAC sub layer of the data link layer (Layer 2) of the OSI model.

WEP is insecure for a number of reasons. The first is that because it encrypts well-known and deterministic IP traffic in Layer 3, it is vulnerable to plaintext attacks. That is, it is relatively easy for an attacker to figure out the plaintext traffic (for example, a DHCP exchange) and compare that with the ciphertext, providing a powerful clue for cracking the encryption.

Another problem with WEP is that it uses a relatively short (24-bit) initialization vector (IV) to encrypt the traffic. Because each transmitted frame requires a new IV, it is possible to exhaust the entire IV key space in a few hours on a busy network, resulting in the reuse of IVs. This reuse is known as IV collisions. IV collisions can also be used to crack the encryption. Furthermore, IVs are sent in the clear with each frame, introducing another vulnerability.

The final stake in the heart of WEP is the fact that it uses RC4 as the encryption algorithm. The RC4 algorithm is well known; recently it was discovered that it uses a number of weak keys. AirSnort and WEPcrack are two well-known open-source tools that exploit the weak key vulnerability of WEP.

Although WEP is insecure, it does nonetheless potentially provide a good barrier, and its use will slow determined and knowledgeable attackers. For this reason, WEP should always be implemented. The security of WEP is also dependent on how it is implemented. Because the IV key space can be exhausted in a relatively short amount of time, static WEP keys should be changed on a frequent basis.

The best defense for a wireless network involves the use of multiple security mechanisms to provide multiple barriers that will slow attackers, making it easier for you to detect and respond to attacks. This strategy is known as defense in depth.

Securing a wireless network should begin with changing the default configurations of the wireless network devices. These configurations include the default administrative password and the default SSID on the access point.

The Service Set Identifier (SSID) is a kind of network name, analogous to an SNMP community name or a VLAN ID. In order for the wireless clients to authenticate and associate with an access point, they must use the same SSID as the one in use on the AP. The SSID should be changed to a unique value that contains no information that could potentially be used to identify the company or the kind of traffic on the network.

By default, SSIDs are broadcast in response to beacon probes and can be easily discovered by site survey tools such as NetStumbler and Windows XP. It is possible to turn off SSID on some APs. Disabling SSID broadcasts creates a "closed network." If possible, SSID broadcasts should be disabled, although this will interfere with Windows XP's ability to automatically discover wireless networks and associate with them. However, even if SSID broadcasts are turned off, it is still possible to sniff the network traffic and see the SSID in the frames.

Wireless clients can connect to access points using either open system or shared-key authentication. Shared-key authentication provides protection against some DoS attacks, but it creates a significant vulnerability for the WEP keys in use on the network and should not be used.

MAC filtering is another defensive tactic that can be employed to protect wireless networks from unwanted intrusion. Only the wireless stations that possess adapters that have valid MAC addresses are allowed to communicate with the access point. However, MAC addresses can be easily spoofed, and maintaining a list of valid MAC addresses could be impractical in a large environment.

A much better way of securing WLANs is to use 802.1x technology. 802.1x was originally developed to provide a method for port-based authentication on wired networks. However, it was found to have significant application in wireless networks. With 802.1x authentication, a supplicant (a wireless workstation) needs to be authenticated by an authenticator (usually a RADIUS server) before access is granted to the network itself. The authentication process takes place over a logical uncontrolled port that is used only for the authentication process. If the authentication process is successful, access is granted to the network on the logical controlled port.

802.1x relies on Extensible Authentication Protocol (EAP) to perform the authentication. The preferred EAP type for 802.1x is EAP-TLS. EAP-TLS provides the ability to use dynamic per-user, session-based WEP keys, eliminating some of the more significant vulnerabilities associated with WEP. However, to use EAP-TLS, you must deploy a Public Key Infrastructure (PKI) to issue digital X.509 certificates to the wireless clients and the RADIUS server.

Other methods that can be used to secure wireless networks include placing wireless APs on their own subnets in wireless DMZs (WDMZ). The WDMZ can be protected from the corporate network by a firewall or router. Access to the corporate network can be limited to VPN connections that use either PPTP or L2TP. New security measures continue to be developed for wireless networks. Future security measures include Temporal Key Integrity Protocol (TKIP) and Message Integrity Code (MIC).