We divided the audit into technical and operational sections with examples of what you could audit. Depending on your goals and needs, you might need less or more than what's listed here.
Running old firmware on the access point may leave the access point open to known attacks or prevent the organization from taking advantage of more robust security features.
Evaluate a representative sample of access points with an administrator, and verify that the code running on the access point is the latest version. Verify that the latest version is correct using the manufacture's website or some other similar updated source of information from the manufacturer. Examine the change-management processes around evaluating and maintaining current code releases for the access points. Note whether this process is automated and coordinated and whether it scales operationally across regional offices.
This step verifies that management software is used to the fullest extent possible and that it's kept under tight control with sound policies and procedures. Centrally managed WLAN tool suites are a powerful method for controlling the many access points likely under the network team's supervision, especially across different geographic locations. Often management software is available from the same company that manufactured the access points. The access controls surrounding the tool suite are another avenue for someone to purposefully or inadvertently wreak havoc on your network and user population by changing access point settings.
Discuss this with your administrator, and ask for a demonstration of the management suite and its capabilities. Ask for procedures on handling the management suite, including who has access and how that access is controlled. If passwords are used, ensure that they match company policy and are rotated according to general company or other more stringent policies. In some organizations, every 90 days may be fine. Others may want their passwords rotated every 180 days or as quickly as 30 days. This is driven in large part by the perceived value of the information accessed wirelessly and the use of mitigating factors such as second-factor authentication tokens. Passwords do not have to be changed as often for systems that support robust or second-factor authentication because the password is one of two authentication pieces needed. For example, the second authentication factor might come from a SecureID token.
This is a broad step to ensure that your clients have basic protections in place to mitigate the risk of compromise from an external source. You also want to make sure that the connecting client isn't going to harm your network.
Ensure that your clients have basic protection mechanisms in place if they are going to wirelessly connect to your network. At a minimum, your clients should have firewall and antivirus software. Other mitigating protections in place might include ensuring that all laptops are managed by a patch-management suite and members of your active directory. In this way, you can keep your systems patched and push down policies as makes sense for your network. You also might use standard known images for the laptops to minimize the complexity of the systems, the costs to your help desk, and the likelihood that your laptops have malware on them that could hurt your network.
If you don't have an authentication method set up, then anyone with a wireless card can access your network. This seriously violates the integrity of your network and places your systems at real risk of being compromised by a curious passerby. In densely populated areas where you have more than one company offering wireless to their users, the authentication method becomes very important. You most likely want your users mutually authenticated, meaning that your access points authenticate to your clients and your clients authenticating to your network.
There are several considerations to the chosen authentication method for your environment. Do you want your users authenticating or just the mobile device? What systems do you want your clients using on the backend for authentication? How is your infrastructure set up? Choosing the correct authentication method is beyond the scope of this short section, but you should have an understanding of the most common authentication methods outlined in Table 11-2. You should ask the team responsible for the wireless implementation for proof as to what they are using for their authentication method and ensure that there is something in place with which you feel comfortable. If your organization isn't using authentication for protecting network access from wireless users, then this should be raised as an issue.
EAP-TLS (Transport Layer Security)
This method requires both user and server digital certificates and supports strong mutual authentication.
EAP-TTLS (Tunneled Transport Layer Security)
This method eliminates the client-side certificates and is typically used in organizations that wish to retain a non-EAP RADIUS infrastructure, such as those running Microsoft Active Directory, by using a TTLS server in front of the RADIUS server. The TTLS server converts EAP requests to legacy authentication methods.
PEAP (Protected EAP)
PEAP is very similar to EAP-TTLS; however, PEAP is supported by Windows XP and 2000 operating systems natively. TTLS is supported natively by many more operating systems.
This method doesn't support mutual authentication and isn't recommended for wireless networks except in cases where nothing else will work. Keep in mind that EAP-MD5 can be used as the client authentication algorithm inside a tunnel created by TTLS or PEAP.
LEAP (Cisco-EAP Wireless)
This method is for Cisco-only implementations and has had serious security issues in the past.
After the clients authenticate to the network, they begin passing data through their agreed-on communications channel. If the data are passed in cleartext or an easily broken format, then the data are subject to eavesdropping.
More than likely you are passing data over an encrypted link if you have implemented wireless in the last couple of years. This step is a reminder that your data are passing wirelessly and are subject to another party intercepting and recording the conversation. Well-designed yagi antennas can detect and read traffic hundreds of yards or even miles away in a clear line of sight. Work with your network administrator to understand how the traffic is encrypted between the supplicants (clients) and the access points.
Security monitoring and regular log reviews can reveal potential issues before a serious event occurs.
Speak with the WLAN administrator in an attempt to understand what's being logged and whether those logs are ever looked at or reviewed. It's preferred to have an automated review process. The monitoring devices or software ideally would help you to identify issues, record authentication events, and locate potential rogue access points. Work with the administrator to understand if these logs are useful, and if not, then determine what barriers exist to prevent them from being reviewed and serving up useful data.
This is the step that most people think about when someone brings up a wireless audit. We hope that you do more than just locate rogue access points and realize that the scope of an effective WLAN audit is much greater than "just" this step. This said, we don't want to take away from the importance of finding rogue access points that are violating your policies and bypassing intended authentication and communication security measures designed to protect your network from outside sources.
There are a number of ways to approach a search for rogue access points, including specialized wireless monitoring appliances, wardriving tools, and searching through your network traffic.
If you have commercial WLAN monitoring tools available, use them to corroborate other evidence you may find. Examples include Aruba, Air Defense, and Air Magnet. Centrally managed wireless detection and prevention systems are a key component to enterprise control of wireless operations and compliance with policies. Proactive wireless monitoring is really the best way to identify wireless intrusions and vulnerabilities because wardriving only shows you what happens at a particular moment in time.
The most common method is to use wardriving software and tools to search for signals coming from rogue access points. This is similar to what an attacker might use and fun for most auditors. Wardriving can be effective in some scenarios, but here are the challenges that must be addressed:
WLAN signal density or noise may make this prohibitive.
The results are for only that snapshot in time.
There is a wide choice of software and hardware.
The work scope needs to be carefully defined.
If you are considering wardriving or warwalking around a high rise in a densely populated area, then you may find it nearly impossible to detect rogue access points among the noise on your network. However, if you are located in the country, this may be very easy to do. There is a wide choice of hardware and software available, but for most purposes, we recommend sticking to the basics. There are commercial versions of wardriving software, but most people will find free tools such as netstumbler (http://www.netstumbler.com) and kismet (http://www.kismetwireless.net) more than adequate for their purposes. If you are comfortable with Linux or Mac and have a laptop available for use, then you probably will prefer using kismet because of its rich feature set.
Built-in wireless tools come with most security-focused and self-booting Linux distributions. These are free and a great way to get your feet wet with Linux-based tools:
Netstumbler is a great tool if you prefer using your Windows laptop. It's very simple to set up and use (Figure 11-3). A number of nontechnical people have used it in the past to find hotspots when they travel.
Figure 11-3: Network Stumbler in action.
Use these tools carefully and only with permission in conjunction with your job. Never break into another person's network "just because you can." Also consider how your WLAN card is configured, and never connect to open networks unless you have permission. Remember that as an auditor, you're held to a code of ethics and generally very high standards.
If you would like to extend the range of the default antenna you use for daily wireless connectivity, then consider buying a high-powered card and a wireless antenna. We have used http://www.wardrivingworld.com (an eBay storefront) and have had great success with its pricing and services. The company sells several setups for this purpose. Speak with an old-hat shortwave radio enthusiast, and you'll quickly get bogged down in the complexities of antenna design and function. This is well beyond the scope of what you need to know to use them. You basically need to be aware of two types of antennas:
Directional antennas. An example is a yagi antenna. This is a cannon-shaped antenna. Yagi antennas have a 30-degree directional beam that will help you to triangulate and pinpoint where rogue access points may be hiding. Users will find this an attractive way to locate a source while driving or walking around a building. The range of a yagi antenna generally is very good because all its sensitivity is focused in one direction.
Omnidirectional antennas. An example is a blade antenna. These antennas are capable of communicating with sources in all directions, which is great if you just want to add an antenna booster to your laptop. If you tried this with a yagi antenna and pointed the yagi in the wrong direction, then you would be sorely disappointed because you would never get your signal. The range of a blade antenna typically is much less than that of a yagi antenna.
Carefully consider the scope of the work to be done. It's one thing to use these tools to locate rogue access points and another to use tools similar to these to compromise your network. Scope the finding of rogue access points separately from determining the level of risk associated with weak protocols and weak authentication schemes.
Finally, you theoretically could search through your network for MAC addresses belonging to wireless access points. Each network card has a MAC address uniquely assigned to it by the manufacturer. Each MAC address contains as part of the address an OUI, or company_id, a 24-bit globally unique assigned number. The OUI usually is concatenated with another 24 bits that are assigned by the company in order to make a 48-bit number that is unique to a particular piece of hardware. The 48-bit number is the MAC address. Each network card has a MAC address assigned to the card used to route packets from the network card to the next hop on the network. The idea is to uniquely address a piece of hardware. There have been attempts by people in the past to search for equipment on their network using the OUI, or company_id, which works in some cases but not in all cases.
Your ability to do this depends on your network topology, the skill of your network administrator, the monitoring tools you have in place, and the amount of work you want to do. MAC addresses are kept by IEEE and located in their entirety at http://www.standards.ieee.org/regauth/oui/oui.txt. The challenge you will run into if you choose to do this is false positives and false negatives. Some MAC addresses have been reassigned or bought by others, and one company may use another manufacture's chipset. If this is not enough, MAC addresses are easily spoofed! It's an elegant solution on the surface. However, you may have challenges and find that one of the other methods is an easier solution.
Failure to establish ownership and tracking of end-user issues could result in end users being unable to resolve connectivity problems.
End-user issues should be tracked through a trouble ticketing system. There needs to be an owner for these issues and a group responsible for tracking the progress to closure of any tickets opened because of WLAN issues. Discuss these processes with the administrator.
Policies help to ensure compliance with a standard and help with repeatable processes and allow the company the ability to act against documented company violations.
Determine if WLAN policies exist and whether the administrator responsible for the WLAN knows and understands the content of the policies. Determine if the policies are being followed or what barriers might exist that prevent them from being followed. Some common policy items might be
All wireless transmissions must be encrypted to prevent eavesdropping.
All access points must have updated firmware.
Only authorized people on the [insert name here] team may have direct administrative controls of the access points.
Only authorized people on the [insert name here] team may install access points.
Passwords to access points must adhere to company policy.
Default SSID names are not allowed or broadcasted.
All efforts will be made to reduce propagation of radio waves outside the facility.
Devices accessing the network must use personal firewalls and antivirus programs.
Client devices must use IPSec-based virtual private network (VPN) technology.
The [insert name here] team must monitor for rogue access points on a [insert time frame here] basis.
Only authorized systems owned by the company may access the network and only for appropriate business use.
Failure to have appropriate recovery processes in place prevents a timely restoration of wireless access for users who must have it to conduct company business. Additionally, it would extremely easy without a plan and during the recovery process to deploy a insecure WLAN, leaving the organization's network open to unwanted guests.
Restoring WLAN may not be at the top of most people's list following a critical disaster, but there should at least be some thought around and procedures in place to facilitate this process. Discuss this with the administrator, and ensure that the recovery processes are in line with the expectations and standards of other recovery processes in the company. Depending on the use of wireless, this may be a critical component, such as in a large warehouse that depends on wireless mobile scanners. Other environments, such as one that uses wireless to supplement existing and working wired infrastructures, may not view this as very important. This is a business risk that should be evaluated and measured appropriately when reviewing the WLAN security policies and the WLAN disaster-recovery/business-continuity (DR/BC) processes.
Change-management processes help to track and provide controlled changes to the environment. Controlled environments are more secure and have less impact on user productivity.
Discuss change-management practices with the administrator. Consider asking for evidence of a recent change, and following through how the change was handled from start to finish.