Chapter 8: Hardening Wireless LAN Connections

Another aspect of your wireless security policy should define the mode of operation permitted for your WLANs. WLANs have two modes of operation. The first mode of operation is infrastructure mode, and it's the conventional WLAN configuration. Infrastructure mode entails the wireless clients being connected to the existing wired infrastructure by way of a WAP or wireless router. The second mode of operation is ad hoc mode, sometimes referred to as peer-to-peer mode . In ad hoc mode, multiple wireless clients are connected to each other in a peer-to-peer fashion, allowing small workgroups of computers to connect to each other without any other infrastructure. You should not allow ad hoc connections in your environment.

You also need to explicitly define the physical WLAN components you will allow in your network. This will assist you in detecting and identifying unauthorized wireless devices. The three primary WLAN components to define in your environment are the following:

• Wireless access point (WAP) A WAP (sometimes referred to as a base station) is the device that wireless clients connect to. A WAP can typically connect hundreds of wireless clients and effectively operates like a bridge, allowing the client access to the physical LAN segment the WAP is connected to. WAPs are typically used in enterprise environments to provide wireless access.

• Wireless router Wireless routers combine the functionality of a WAP with a router, allowing wireless clients to connect to the router and then be routed to other networks. Wireless routers often include firewall functionality and are typically used in small office/home office (SOHO) environments to provide wireless access.

• Wireless client Wireless clients include any device that uses a wireless network card to communicate with a WAP or wireless router.

I personally know of companies that have rogue WAPs that allow anyone on the freeway to access their internal production network, including potentially granting access to source code. A rogue WAP is a death blow to security because no matter how much you have hardened the perimeter, it has been instantly undermined by the WAP once it connects to your internal network.

Detecting Unauthorized WAPs Wirelessly

The most effective method of detecting unauthorized WAPs is by simply using a wireless client and locating the WAPs broadcasting in your environment. A few caveats must be considered when employing this method, however:

• You have to be within range of the WAP in order to detect it.

• It is very difficult to detect a WAP that does not broadcast its SSID.

• It can be difficult to survey remote sites.

The good news is that because most unauthorized WAPs are not implemented by malicious users (and oftentimes are implemented by nontechnical users), the odds are high that the SSID broadcast has not been disabled. This leaves us with the problems of needing to be within range of the WAP to detect it and trying to survey remote sites. It is often impractical for someone in IT to spend the day walking around trying to determine if they can detect access points. One of the best solutions I have seen for this is to take advantage of someone who on a daily basis must walk around the environment ”the mail delivery person. You can outfit this person with a laptop or handheld carrying extra batteries and while they make their normal rounds delivering the mail, the laptop can sit in the bottom of the mail cart quietly detecting any WAPs. A number of wireless analyzers can be used to detect the presence of unauthorized WAPs, including the following:

• Airdefense (http://www.airdefense.net/)

• Airmagnet (http://www.airmagnet.com/)

• Boingo (http://www.boingo.com/)

• Netstumbler (http://www.netstumbler.com)

• Kismet (http://www.kismetwireless.net/)

• Network Associates Sniffer (http://www.networkassociates.com/us/products/sniffer/home.asp)

• Wildpackets Airopeek NX (http://www.wildpackets.com/products/airopeek_nx)

Netstumbler provides one of the easiest methods for detecting a rogue AP over the wireless network. Once you install Netstumbler, the program automatically begins scanning for WAPs with no configuration required on your part (other than providing the wireless NIC, of course). For example, the screen shown next depicts what I was able to capture while driving down a major freeway in the Houston area. I captured 175 WAPs, of which 113 were running no encryption whatsoever, and none of which were running WiFi Protected Access (WPA). Instead, they were all using WEP.

Detecting Unauthorized WAPs from the Wired Network

Detecting unauthorized WAPs from the wired network is generally not as easy a process as it is to detect them wirelessly. After all, it doesn t get much simpler than walking around with a laptop and a wireless card. At the same time, you can t really do much about the biggest problem with trying to detect a WAP wirelessly ”namely ”detecting a WAP that is not broadcasting its SSID.

Using a wired detection process can alleviate some of the disadvantages to trying to detect an unauthorized WAP wirelessly. For example, a wired detection process is not susceptible to missing WAPs that do not broadcast their SSIDs. In addition, a wired detection process can be used to survey remote sites and can even be scheduled and scripted to increase ease of use.

Unfortunately, there are some drawbacks to this method. It can be difficult to locate all the unauthorized access points. This is largely due to the lack of mature or specialized products for this task. Currently, most techniques rely on using MAC addresses (because all vendors are assigned a MAC address range) or OS fingerprinting to identify the WAP, both of which are an imprecise science. Here are two tools that can assist you in identifying an unauthorized AP by monitoring MAC addresses:

• AP Tools (http://winfingerprint. sourceforge .net/aptools.php) AP Tools not only can discover an access point based on the MAC address, it can also attempt to check to verify that the access point is a WAP.

• Arpwatch (http://www-nrg.ee.lbl.gov/) Arpwatch can monitor the network and maintain a database of MAC address and IP address pairings.

Here are some tools that can assist you in OS fingerprinting:

• Nmap (http://www.insecure.org/nmap/index.html) Nmap can be used to identify the OS that a scanned host is running. For more information on using Nmap see Chapter 13.

• Xprobe (http://www.sys-security.com/html/projects/X.html) Xprobe is similar to Nmap in its ability to identify the OS through the use of fingerprinting.

• Nessus (http://www.nessus.org) Nessus is discussed in detail in Chapter 13. However, you can find an excellent whitepaper that details the process of using Nessus to detect rogue WAPs at http://www.tenablesecurity.com/wap-id-nessus.pdf.

Both of these methods share the common problem of generating false positives. For example, Nmap recognizes a Linksys WAP54G as a Linux device because it actually runs Linux for the OS. This can make it difficult to determine whether the device is indeed a WAP or just a Linux host running on your network. MAC address tools rely on identifying a device due to it having a MAC address that has been assigned to a wireless vendor. That can make it difficult to distinguish between a Cisco AP and a Cisco switch if the database of MAC addresses has not been accurately updated.

Detecting WAPs from the Wired Network

While I was writing this, I got into a discussion with a colleague about the inconsistencies and difficulties of detecting a rogue wireless AP on the network. He mentioned that he was testing an alpha version of Network Associates ePolicy Orchestrator (EPO; http://www.nai.com/us/products/ mcafee /mgmt_solutions/epo.htm ) that has the ability to detect rogue wireless APs. When I asked him how well it worked, he mentioned that he had tested EPO with a number of different wireless APs and that it detected all of them within 5 “8 minutes of being brought online. The technology is definitely improving, and the accuracy of the detection algorithms is getting much better.