Auditing Wireless Networks: Who Is Listening to My Network Traffic?

In today's business environment, the installation of wireless networks has taken a center-stage position. Wireless permits an organization to use networked devices in locations where Cat 5 cable is not available.

The Institute of Electrical and Electronics Engineers (IEEE, www.ieee.org) has taken a lead position in the creation and development of wireless networking protocols. In 1990, IEEE established the 802.11 working group. One of their goals was the creation of a wireless local area network (WLAN) standard. The standard specified an operating frequency in the 2.4 GHz band that had been specified for industrial, scientific, and medical use. Seven years later, in 1997, the IEEE adopted the first WLAN standard with data rates of 1 Mbps and 2 Mbps. In 1999, the working group approved two extensions to the 802.11 protocol. The first, 802.11a, operates in the Unlicensed National Information Infrastructure band of 5 GHz with a transfer rate of 54 Mbps. This standard protocol only allowed clients within 40 to 50 feet, due to power restrictions enforced by the Federal Communications Commission (FCC). The second adopted standard is one of the more popular WLAN protocols, 802.11b. This protocol operates on the 2.4 GHz band with operating distances sometimes exceeding 1000 feet and has speeds near 11 Mbps. It is the 802.11b standard known popularly as "Wi-Fi," Wireless Fidelity.

Basic Wi-Fi Architecture

One basic workstation to other compatible client is known as the independent basic service. It provides peer-to-peer communication links between two or more wireless devices with the use of an Access Point, AP, device. In other words, the devices connected via the wireless links are known as "cells" and generally do not have any outside connections other than their connections to each other. This connection structure is known as "Ad hoc." For example, three laptops are connected via their 802.11b wireless network interface cards. In this fashion, they may transact their business through this rudimentary peer-to-peer wireless network.

The most common WLAN infrastructure is known as the "basic service set" where an access point (AP) and at least one wireless client are required. The AP is a device that acts as a router connecting networks, and the wireless client acts in a similar fashion to a Network Interface Card for the client device. APs are relatively small hardware devices that require very little technical knowledge and time to install. In most cases, APs can be purchased for less than $200. Wireless clients are easily installed in desktops and laptops and frequently cost less than $100. In most WLAN architectures, the AP is the connection point between the LAN and the Internet or other open-ended network, while the wireless clients are installed in workstations and mobile systems.

Connections between the AP and its clients are initiated with the proper Service Set Identifier, SSID. Basically, the SSID is the name the owner gives the WLAN network. It is supposed to provide a logical separation between the AP and its clients. In theory, clients must have been configured with the same SSID as the AP in order to connect. It is important to remember that APs act in very similar fashion to routers, and the wireless clients act in similar fashion to NIC cards.

Most WLANs have the ability to be configured for Wired Equivalence Protection, WEP. This is an encryption method between the AP and clients. Due to flaws in WEP, it is possible for attackers to record a significant amount of the encrypted traffic between AP and clients, deduce the encryption, and decipher the traffic. This attack requires a significant amount of recorded traffic and specialized software. Regardless, successfully attacking a wireless network, featuring WEP, can be done by tenacious persons. It is simply a matter of patience and skill.

802.11b Information Packet Types

Beacon packets are typically transmitted continually by APs. These packets contain the SSID, maximum transfer rate, and MAC address of the AP. Generally, APs send from six to ten beacon packets every second. Probe packets are sent by clients to APs while attempting to join a network. Probe packets request the SSID of the network it wishes to join. If an AP permits the client to associate with the target network, the AP responds with a response containing the SSID. Data packets are simply TCP/IP encapsulations of the data being exchanged between the client and the AP. Ad hoc packets are similar to beacon packets, except they are exchanged client card to client card instead of through an AP.

Wi-Fi Network Detection

Active detection is the condition where the client transmits probe packet requests and listens for responses to them. This is the process followed by Netstumbler (www.netstumbler.com). Active detection requires the wireless client to be located within the radio frequency range of the AP to exchange traffic with the target network.

Passive detection is the process where the client merely listens to all detectable traffic in the air and extracts pertinent information from the intercepted packets. The client needs to be within the useable range of the AP to detect the packets. Passive detection cannot locate an AP that is not broadcasting. The wireless sniffer application, Airsnort, available at airsnort.shmoo.com, uses this listening detection method. If an attacker uses the passive detection method, it is virtually impossible to detect an attacker monitoring the target network.

802.11b Headers

Wireless network headers contain the most basic packet information: the MAC of the transmitting source, destination, SSID, WEP information, supported transfer rates, the channel, and the direction of the communication. It is important for auditors to note that WEP only encrypts the data packets. Packets in the link-layer such as beaconing, probes, etc., are not encrypted. They are exchanged in clear text.

WEP

WEP effectiveness is determined by its key-length, the number of flawed systems generating packet traffic, and the traffic levels on the network. If there are no systems generating data traffic, then attackers are not going to have the opportunity to capture weak keys. WEP has the flaw of being a shared secret key encryption method. Once the system's key is compromised, all systems must be updated with a new WEP key. The new key must be of a greater length or the newly generated and shared key will have the same weaknesses as the compromised key. Compromised keys may result from attackers, former employees, or lost systems.

Cloaking SSIDs

Currently, there are many manufacturers that have the feature of blanking the SSID from the beacon packets. Unless the client knows the correct SSID, it cannot associate with the AP and join the network. However, this protection is possibly transparent as a client joining the network, the AP sends its SSID to the client in the clear. This becomes important in that every time a client exchanges traffic with an AP, the SSID is broadcast in clear text. Legitimate users actually facilitate the AP sending the SSID. Attackers can force an AP to disclose its SSID by attacking it with jamming transmissions and as the clients attempt to rejoin the network, there is an exchange of the SSID in cleartext. Jamming consists of any strong 2.4 GHz transmitter.

Some manufacturers attempt to protect APs by disabling their beaconing ability. This is not a panacea either, such as cloaking the SSID is disclosed as users join the network. Auditors should remember that APs not transmitting the SSID and having their beaconing disabled are merely steps toward system security. Like WEP, they are not the only steps.

Wi-Fi Audit Program Features

Signal strength is one of the features of WLANs that permits attackers to gain a foothold in your system. Walls, doors, glass, and other types of building construction will not provide sufficient containment of the wireless signal. The AP placed inside a typical office can transmit a signal anywhere up to 1000+ feet. In many settings, a signal broadcast in any direction will place it in a neighboring office, road, or parking lot. Vertical signal reception must also be considered in that offices located above and beneath should be factors when selecting a location for the AP. Attackers have been known to engage in a practice known as "war driving," in which they spend their time driving from location to location equipped with a laptop, wireless client, and specialized software in search of unsecured Wi-Fi networks. Some attackers have gone as far as integrating their war-driving network interceptions with GPS and have created maps where wireless networks and their corresponding SSIDs are listed. Several Internet Web sites are dedicated to showing the location and SSIDs of unsecured networks. Of particular interest to attackers are those unprotected wireless networks located in business conference rooms. Software designed to locate unprotected wireless networks is available from www.netstumbler.com.

Many wireless network administrators feel that configuring their networks to recognize specific Network Interface Cards in the form of their individual MAC, Media Access Control, addresses is a measure that goes a long way to securing their networks from unauthorized intruders. MACs are individually significant digital addresses assigned to NICs. MACs identify the specific component and theoretically belong only to that component and none other in the world.

So, if an administrator configures her system to accept only specific MACs, then all others should not be permitted access. In this fashion, MAC filtering provides a significant degree of wireless network security. It is important to remember that there are software utilities that allow attackers to spoof their MAC addresses, however considering the large number of possible digital MAC combinations, there are a hundred million combinations, and the probability of guessing a MAC address is practically impossible. So if an intruder successfully spoofed an authorized MAC address, the intruder has had access to an authorized piece of equipment or has successfully intercepted an authorized MAC that was broadcast in the clear without being encrypted such as a VPN. Having an accurate inventory of equipment and accompanying identifying numbers, such as the MAC, can provide some avenue as to how the MAC was compromised.

Features associated with Wired Equivalent Privacy (WEP) have given wireless administrators and senior managers a false sense of security. In short, it is possible to break WEP contingent on the tenacity, and luck, of the attacker. Even when WEP is properly deployed on a wireless network, it is possible to break the encryption and gain access to the AP. It is important to know that WEP encryption keys are static and configured manually.

WEP protocol requires the same secret key to be shared by all wireless clients within the cell. The flaws are highlighted in the manner that WEP uses Initialization Vectors, IV, in establishing the encrypted link between the AP and the authorized clients. If a determined attacker intercepts a sufficient amount of wireless traffic, he can penetrate the wireless network's WEP and gain access using available software. ^[12]

Beyond the idea of restricted MACs and WEP deployment, the only viable solution of private and authorized system traffic is the deployment of a Virtual Privacy Network, VPN. This is not without its issues, but it is a means of allowing only authorized clients to use the system's facilities and provides an encrypted tunnel between clients and other system components. The following factors determine whether it is worth the trouble to deploy a VPN system:

• What is the sensitivity of the traffic this system is going to be seeing?

• What is the importance of privacy?

• Is it important for my wireless network to eliminate unauthorized users?

• Is my wireless network connected to other sensitive system components? What are the risks if an attacker gained access, through the wireless network, to other network elements?

Wireless Denial-of-Service Attacks

Wi-Fi networks can become victims to denial-of-service attacks in the same fashion as wired networks. They have some of their own issues distinct from conventionally wired systems.

• Users with malicious intent can configure a wireless client to transmit thousands of connection requests to an AP eventually leading to a complete shutdown of the AP. This makes a strong auditor argument for system logging and having the MACs assigned to specific machines with accurate inventories.

• Extraneous radio frequency (RF) generation can result in Wi-Fi jamming from sources such as an arc-welder. Having an AP that cannot receive the transmissions of its assigned clients due to powerful RF jamming from a nearby construction project or body and fender repair shop will not receive intended traffic.

• In wireless systems, it is possible to reach a saturation of RF devices. This is true in 802.11b, 802.11a, 802.11g, and Bluetooth systems. In essence, there are more users than the system can handle.

Auditor Considerations for Wireless Networks

Wireless networks have a different set of system security countermeasures than hardwire systems do. These are some audit program features that may be worth incorporating:

• APs should have the correct antenna configuration.

• If the system has the ability to attenuate the signal strength, has the broadcast signal strength been reduced sufficiently to cover the intended area and no more?

• Turn off the SSID broadcasting at the AP. If this is not possible, consider using another vendor if restricting unauthorized users is a primary consideration.

• What SSID naming convention was used? SSIDs should not disclose any useful information about the wireless system, for example: Finanzoffice, HRMail, or BWINET.

• What is the level of security dependence on the client's MAC as an access authenticator? Wireless systems must not solely depend on MAC layer filters as their only security measure. This is one of those steps that should be part of the whole system authentication process. Remember that MACs can be spoofed.

• Does the target system have an Intrusion Detection System, IDS, configured to alert administrators in the event an excessive amount of ARP, Address Resolution Protocol, replies are detected on the system? Remember that ARP associates MAC with IP addresses.

• Is the system configured with software tools that will provide notification when IP to MAC bindings change. One such tool is called Arpwatch and is available at www.nrg.ee.lbl.gov.

• Has a VPN solution been effectively implemented between the target system and the clients? Use a third party VPN solution to connect the clients to a single AP with each use being routed to the appropriate VPN endpoint in the organization's network.

• Are there multiple APs to access different segments of the system, each with a unique SSID?

• Does the organization's current policy prohibit the installation of APs and other hardware/software without prior written approval of the information security officer?

• Are all APs logically located outside the organization's perimeter firewall?

• Are all unused internal switch ports disabled?

• Is there a systemwide mechanism to monitor any new MAC addresses on the organization's internal system? How effective is this monitoring?

Exhibit 29 is an example of a wireless system with the laptop representing a variety of wireless client devices. It is important to note that the AP is located outside the firewall and computer traffic is required to be authenticated and pass through the VPN endpoint before entering the internal network.

Exhibit 29: Typical Wireless System

^[12]Such software is available at http://sourceforge.net/projects/airsnort/, http://airsnort.shmoo.com/, or http://www.dachb0den.com/projects/bsd-airtools.html.