Chapter 9. Wireless Local Area Networks

Wireless LANs as part of an enterprise network are increasing in popularity. Users enjoy the freedom of being able to use a laptop anywhere in a building or on campus. It doesn't hurt that a WLAN can be very cost effective. Of course, there are serious security issues associated with WLANs. The freedom that a WLAN provides users can also become an easy way for an attacker to gain access to an organization's network. Attackers often target WLANs because, like routers, network administrators deploy them without considering the security implications. Even worse , a network user may deploy an unauthorized access point ”sometimes called a rogue access point ”without informing network administrators.

The generally accepted standard for WLAN connections, as defined by IEEE, is 802.11. The 802.11 specification only defines the physical layer and MAC address portion of wireless Ethernet. It is based on the IEEE Ethernet Standard, 802.3, so WLANs are designed to be an extension of a network, although even a peer-to-peer WLAN will support any protocol that normally runs over Ethernet. As with most standards, the interoperability of network devices does not always work as advertised, but as the technology matures, the level of communication between network devices is improving.

There are three important physical layer series within the 802.11 protocol: 802.11b, 802.11a, and 802.11g. Series are different ways of implementing the 802.11 standard. Wireless network cards have to conform to these individual series in order to speak with other WLAN network interfaces in the same series.

Table 9.1. 802.11 Spectrum by Region

802.11b is, by far, the market leader. It operates at 11 megabits per second (Mps) and uses the 2.4 GHz spectrum, though the bands within the spectrum vary depending on the region in which the WLAN is deployed. 802.11 protocols use DSSS and FHSS to communicate in the ISM unlicensed 2.4 GHz spectrum. The actual spectrum used depends on where the equipment is being deployed. Each country can define certain frequencies within the 2.4 GHz frequency for use in wireless networks. Table 9.1 lists the bands by region.

The 802.11a standard was ratified in 1999; however, products did not begin shipping in volume until 2002. The 802.11a series operates in the 5 GHz spectrum, and has 8 available radio channels for data to travel on. 802.11a compliant cards support data rates up to 54 Mbs. Because 802.11a and 802.11b cards operate in different spectrums , they are not compatible.

A third series, 802.11g, operates in both the 2.4 GHz and 5.0 GHz spectrums. It is backward compatible with the 802.11b series, but operates at speeds up to 54 Mbs, just like 802.11a.

WLAN design is fairly simple. Users with wireless network cards using compatible protocols can either connect to each other in a flat network, or plug into an access port. If the users are tied into an access point, they can connect to it as long as they are within 300 feet ”farther with an antenna. In a large building or campus, multiple access points can be strategically placed to provide continuous network connectivity throughout the organization.

In cases where an access point is used, it acts as a bridge between the WLAN devices and the network. The access point emits a signal from an omni-directional antenna attached to it. WLAN devices using the same 802.11 series pick up the signal and make a connection to the access point. The access point can either assign an IP address from its pool or forward the request to a network-based DHCP server. The WLAN device accepts the IP address and begins transmitting clear-text data to the access point. The access point, acting as any bridge, forwards the data to the network and returns any responses to the originating network devices.

The basic security problem facing WLANs is the same one facing wireless WANs: An attacker no longer has to be within the premises to launch an attack. With a traditional wired network an attacker either has to be inside the building to connect to a network port or to figure out a way to bypass router, firewall, and server security to break into the network remotely. A wireless attack, sometimes known as a "drive-by hacking," doesn't involve being on the physical premises and it doesn't involve bypassing the network edge security measures. Instead, the attacker launches the attack from within the network, where there tend to be fewer obstacles to a successful attack, because security is generally lighter inside the trusted network.

Wireless attacks work in this fashion because a wireless access point broadcasts its signal in a radius. WLAN technologies do not require line of sight, unlike LMDS or MMDS, so the signal spreads out irrespective of any walls, floors, or ceilings that may be in its path . This means an attacker standing outside of the office building, with the right equipment, may be able to receive the wireless signal and use that information to gain access to the network.

In fact, there are tools, such as AirSnort, that have been developed to scan for wireless network signals. These tools allow a remote computer to listen to particular channels for WLAN signals (Figure 9.1). Once a signal is located, AirSnort will collect the data as it is transmitted through the air. A WLAN sniffer is different than a normal network sniffer in that the attacker does not have to belong to the network in order to use it. In other words, normally an attacker attempting to sniff a network would have to be attached to that network, either by being plugged directly into a switch or by compromising a server on the network. Someone attempting to sniff a WLAN does not have the same constraints. In a manner similar to reporters who monitor police channels, an attacker can monitor WLAN traffic without participants of the WLAN knowing.

Figure 9.2 illustrates how an attacker could monitor WLAN network traffic, using a laptop, with a wireless network card. To increase the reach of the laptop, the attacker can attach an omni-directional antenna to extend signal strength up to three times the normal reach of an access point. Remember ” and this is very important ”an attacker does not have to be part of the network in order to monitor it. This is especially important to keep in mind when planning the security of the WLAN. Truthfully, an attacker does not even need a laptop. There are programs available that will convert either a Palm or a Pocket PC handheld computer into a wireless network sniffer. These tools are designed to help administrators secure a WLAN, but attackers can use them just as effectively.