Despite all the conveniences supplied by 802.11 networks, the fact that wireless network traffic knows no physical boundaries and travels freely through the air makes it inherently insecure. In this section we will discuss ways to effectively secure wireless networks. All the elements that go into making a wired network secure can be applied in a wireless environment as well. In the upcoming pages we will discuss the best way to design a wireless network to keep it secure, the use of wireless encryption for confidentiality and authentication, the hardening of APs to ward off attacks, and the use of mechanisms outside the wireless technology domain for additional defense-in-depth security.
The most important aspects to securing a wireless network are the way it is designed and the way it interfaces to your wired network. No matter what features you use to secure your wireless infrastructure, there will always be ways to defeat them. By utilizing a solid network design strategy, you can make it harder for attackers to reach your wireless network. This can also add more controls to your wireless segments and protect your wired network from its wireless counterparts. In this section we will examine the use of firewalls and routers to exact the same kind of controls on wireless networks that you can on wired networks and to prevent signal leakage through proper AP placement and wireless signal dampening.
Separation via Network Control Mechanisms
Because an AP typically connects wireless and wired networks, nodes that are located on networks on both sides of an AP participate in the same broadcast domain. Under such circumstances, a wireless attacker can use techniques that apply to wire-based networks, including attacks such as ARP cache poisoning, thus exploiting the loquacious nature of broadcast domains.3 Such an attack would impact other wireless nodes that are connected to the access point, as well as devices on the wired side of it.
Because of the number of vulnerabilities associated with and the nature of wireless deployments, it makes sense to treat 802.11 networks as more vulnerable than an isolated wired network. The justification for separating wire-based and wireless resources is further reinforced by unrestrained Layer 2 access that a wireless node might have to wired hosts on the other side of the access point. As stated in Chapter 13, "Separating Resources," it is a good practice to divide the wireless part of your network from the wired part using a control mechanism, such as a router or firewall. This way, Layer 3 and higher access controls can be applied, rather than dealing with the standard problems associated with the fact that wireless communications transpire at Layer 2 and below.
A common, but flawed design that is utilized in many environments is the connection of an AP directly to a production switch (see Figure 14.1). Though this option is easily configured, it allows all wireless nodes direct Layer 2 access to any of the resources on that same production switch. At a minimum, placing the AP in its own isolated VLAN on the production switch and securing it using Layer 3 mechanisms is suggested.
Figure 14.1. It is not uncommon to find an AP connected directly to a production switch. What this gains us in convenience, it lacks in control.
A better design to consider is the concept of a "wireless DMZ," as eluded to in Chapter 13. By placing the APs into a dedicated security zone, additional Layer 3 and greater access controls (such as a firewall) can be applied. For example, by connecting all our APs to a single switch (or two switches for redundancy) and then connecting the switch to a firewall that connects to the production switch (see Figure 14.2), we have a chokepoint or Layer 3+ control between the APs and our production network.
Figure 14.2. A wireless DMZ allows Layer 3 controls in the form of a firewall between our wireless and production network.
If someone compromises a wireless node or an AP, he is now limited to only the services we are allowing across our firewall to the production network. Additionally, all traffic can be logged at the firewall, so we have an audit trail and a greater chance of detecting an attack.
Finally, in cases where the APs themselves fall into different risk levels, it is possible to separate each of them into its own security zone, on a multileg firewall or multiple interface router (see Figure 14.3).
Figure 14.3. By segmenting the APs into their own security zones, we protect our wireless resources from each other.
A design like the one pictured in Figure 14.3 may be useful in environments such as college campuses, where instructors and students might have very different rights to production resources.
As enterprise class APs are developed, more and more of the same important security features incorporated into wired network switches are being integrated into APs. Access points have been produced that support the configuration of Quality of Service (QoS) and VLANs on the AP itself! This way, the AP can help control the QoS considerations for connected wireless clients and can group the traffic into security zones with different levels of risk using VLAN technologies. This is a major improvement over past APs, which basically acted like "dumb hubs." With a multi-VLAN AP, an important design consideration is how it will be integrated into your wired network. The connection between it and your production switch will most likely be an 802.1q trunk, which can propagate the same poor design considerations as demonstrated in the example in Figure 14.1. Placement of a firewall that supports 802.1q trunking between the AP and the switch would be recommended for exacting Layer 3+ controls on your wired networks. At the minimum, Layer 3 controls can be forced by configuring unique VLANs to support the wireless networks on the attached wired switches, forcing wireless traffic to go through a Layer 3 device for access to the rest of the wired network (see Figure 14.4). For more information on the separation of the network into security zones and the use of trunking, refer to Chapter 13.
Figure 14.4. By using unique VLANs for wireless networks, communications between wireless and wired networks are forced through a Layer 3 access device.
You can find information on trunking, the Cisco Firewall Services Module (FWSM), and the Check Point VSX in Chapter 13.
No matter which of these wireless network designs suits your business needs best, an important point to take away from this section is that adding Layer 3+ controls at the edge of your wireless network provides the type of control you take for granted between your wired network security zones.
Protecting Against Signal Leakage
Wireless infrastructure components have historically been vulnerable to attacks that could allow a determined attacker to access data on the wireless network as well as on the wired network that is connected through its access point. Such attacks have an increased threat level because 802.11 allows the attacker to connect to the wireless network at the media access layer without having to infiltrate the organization's physical facility. All that is needed to communicate with an 802.11 network is a compliant network card and the appropriate proximity to the target. One of the best ways to help alleviate such issues is by controlling wireless signal leakage. By carefully placing APs and the direction of their antennas, you can limit the amount of signal that is available outside of your building or campus. Insulating materials (such as thermally insulated windows and metallic paint and window tint) can be used to help deaden signals before they leave the areas you physically control. The less access that the public has to your network, the better. Also, choosing the areas where signal leakage occurs can also work to your advantage. If your wireless network is accessible from a public parking lot, you are at a greater risk than if your network is accessible via a secured parking lot that is monitored by cameras. Having your wireless network range mesh with your physical security, though often not possible, is a solid step toward good network security.
Defending Against Wireless Denial of Service (DoS)
There is a lot of conjecture about a new threat to networks everywherethe wireless DoS. Though the range from which a wireless DoS can be executed must be much closer than a standard Internet DoS, the threat still has a very dangerous potential. A wireless DoS can slow down or even bring your wireless network to a halt, and depending on your network design, it could even spill over into your wired network. Most businesses do not have the equipment to be able to track down a device that could be causing a wireless DoS, though commercial packages to track down wireless transmitters (and more) are now available, such as Airmagnet (www.airmagnet.com).
The main defense against wireless denial of service (short of triangulating the source and tracking it down) is again the use of solid design fundamentals, such as those we have discussed in the last two sections. Being able to segregate the DoS away from your production network via a firewall or other control devices is ideal. QoS controls can also be implemented at the edge of the wireless DMZ. Network intrusion detection sensors can be placed at the point where your wireless and wired networks join. Finally, all the means used to keep signal leakage in can also help keep the wireless DoS out. Though no foolproof method of defense is available for wireless DoS, a proper design can go a long way toward threat mitigation.
Although wired Ethernet-based networks do not incorporate encryption at the media access and physical layers, 802.11 designers developed specifications for encryption mechanisms to allow authentication and encryption of communications between wireless nodes on Layers 1 and 2. Wireless encryption is meant to guard against eavesdropping and limit access to the wireless infrastructure, thus protecting against the inherently "public" nature of wireless communications that allows them to pass through walls and other physical barriers.4 An attacker is much more likely to gain access to the wireless network if the organization has not enabled an encryption method or related access-control mechanisms in its 802.11 deployment. An inexpensive reconnaissance experiment in 2001 by security enthusiasts in the Boston area detected hundreds of 802.11 access points, only 44% of which had encryption enabled.5 Remember that any encryption is better than no encryption. Many wireless attackers are simply looking for a jumping-off point from which they can launch further attacks. If an attacker finds a network with poor encryption and one with no encryption, it is very likely he will attack the network with no encryption. After all, why bother going through all the work to crack weak encryption when he can immediately access the unprotected network?
Wired Equivalent Privacy (WEP)
An important part of securing a wireless network is using an adequate encryption algorithm to protect your airborne data. In this section we will discuss the first security protocol for wireless networks and some of the inherent weaknesses that led to its replacement.
When the 802.11 specification was created, the individuals developing it realized that eavesdropping was a major concern for wireless networking. When your precious data, personal information, and passwords are traveling through the air, confidentiality becomes paramount. With this in mind, Wired Equivalent Privacy (WEP) was created to allow secure communications between wireless network cards and access points. The original version of WEP supported a 40-bit or 64-bit pre-shared key, with a later implementation (WEP2) offering a 128-bit key. It uses the RC4 algorithm for encryption. The paper "Weaknesses in the Key Scheduling Algorithm of RC4," by Scott Fluhrer, Itsik Mantin, and Adi Shamir, discuss flaws with RC4 in great detail, including issues with the way RC4 is implemented in WEP. The authors state that "when the same secret part of the key is used with numerous different exposed values, an attacker can rederive the secret part by analyzing the initial word of the keystreams with relatively little work."6 In turn, countless programs have been developed to exploit this weakness in WEP, including WEPCrack and AirSnort, both of which will be covered later in this chapter. For more information on the vulnerabilities of WEP and RC4, check out "Weaknesses in the Key Scheduling Algorithm of RC4," which is available all over the Internet.
The fact that some implementations of RC4 are weak does not mean that RC4 itself is broken. Properly implemented, RC4 is considered secure. For more information, checkout "RSA Security Response to Weaknesses in Key Scheduling Algorithm of RC4" at http://www.rsasecurity.com/rsalabs/node.asp?id=2009.
Despite the inherent weaknesses in WEP, it is still deployed today. If WEP is your only choice, it is better than no encryption at all. However, you should consider WEP to be broken and should replace it if at all possible.7 Some vendors have strengthened WEP by incorporating an authentication protocol such as LEAP into their products.
Extensible Authentication Protocols: PEAP/LEAP/EAP-TLS
One of the major weaknesses of WEP was that it used a pre-shared key. Any time a static pre-shared key is used, it is unlikely it will be changed regularly, if at all. This makes it very vulnerable to attack because exploits can be run on it again and again. Also, there are no usernames to be determined, so just one item needs to be crackedthe key itself. If multiple parties need to gain access to the network, the pre-shared key needs to be disseminated in some form, which leads to issues in keeping the key secured as it is passed around. One means to mitigate these issues is by using a protocol that supports authentication. Using a centralized authentication server (such as RADIUS or TACACS) means that there are multiple usernames and passwords, all which are centrally managed and can be controlled via a strict password policy forcing complexity and regular password changes.
Protected Extensible Authentication Protocol (PEAP), Lightweight Extensible Authentication Protocol (LEAP), and EAP-TLS are all examples of authentication protocols used with wireless networks. These protocols incorporate the use of authentication servers (for example, RADIUS) instead of using a pre-shared key. They supply not only an additional level of security, but also a centralized means to share credentials across multiple APs and other network devices that can utilize RADIUS technology.
LEAP is a proprietary protocol created by Cisco systems. It uses Microsoft Challenge Authentication Protocol version 2 (MS-CHAPv2) to authenticate against an authentication server. In its original implementation it used transient WEP keys to protect information flows (though it can also be used with other encryption standards such as WPA). Though these benefits help negate all the exploitable negatives with WEP deployments, there has still been a lot of talk recently about the security of LEAP. At DEFCON in August of 2003, Joshua Wright revealed weaknesses in LEAP to dictionary attacks.8 This is due to limitations that can be found in the MS-CHAP implementation, including the facts that user credentials travel in the clear (immediately giving up half of what an attacker needs) and that its hashes do not use salts.
The LEAP dictionary attack makes an excellent case for the necessity of a strong password policy. This attack only works well when the password guesses can be easily generated via a source such as a predefined password dictionary. If complex passwords are used, this assault will not work, and it is very unlikely that a brute force attack using the same methodology would give timely results.
For more information on the LEAP dictionary attack vulnerability, check out "Weaknesses in LEAP Challenge/Response" (http://home.jwu.edu/jwright/presentations/asleap-defcon.pdf) and "Cisco Response to Dictionary Attacks on Cisco LEAP" (http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_bulletin09186a00801cc901.html).
Another authentication protocol choice is PEAP. It was created by a consortium of vendors, including Microsoft, Cisco, and RSA Security. Though similar to LEAP, using an authentication server and MS-CHAPv2, it adds enhanced security by offering additional authentication options and forcing this authentication to take place in an encrypted Transport Layer Security (TLS) tunnel. TLS is the planned replacement for SSL and offers similar functionality. The additional security provided by the TLS tunnel has the positive effect of removing the concerns previously expressed for LEAP. However, the negative side effect is that a digital certificate is required for the authentication server.
EAP-TLS is the new standard for wireless authentication set forth in the newly adopted IEEE 802.11i security standard. It is similar to the other EAP protocols we mentioned; however, it requires digital certificates on both wireless clients and authentication servers, demanding the implementation of Public Key Infrastructure (PKI) for digital certificate management. This makes EAP-TLS the most secure of the EAP standards in this section and the most costly and complicated to deploy and manage.
Wi-Fi Protected Access (WPA)
Due to all the shortcomings in WEP, a new implementation of encryption protocol for wireless networks had to be developed. The answer: Wi-Fi Protected Access (WPA) Protocol. WPA integrates an improved choice of encryption algorithms with an almost infinite number of dynamically generated keys, with proven EAP authentication protocols and additional integrity checking for a rock-solid replacement for the former WEP standard.
The initial implementation of WPA used the Temporal Key Integrity Protocol (TKIP) encryption algorithm with 128-bit dynamic session keys. The second version of WPA (WPAv2) was enhanced to meet the IEEE 802.11i security standard by using Advanced Encryption Standard (AES) 128-, 192-, and 256-bit keys. The two modes of operation with either version of WPA are Personal (also called WPA-PSK) and Enterprise. Personal uses a pre-shared key (for which there has been an attack offered againstsee the sidebar "WPA Pre-shared Key Passive Dictionary Attack," later in this section) whereas Enterprise supports an authentication server (such as RADIUS) and EAP methods such as EAP-TLS and PEAP.
The Wi-Fi Alliance states the following about WPA, with its improved encryption algorithms and security mechanisms: "Cryptographers have reviewed Wi-Fi Protected Access and have verified that it meets its claims to close all known WEP vulnerabilities and provides an effective deterrent against known attacks."9 Both versions of WPA integrate a capability to verify the validity of packets with its Message Integrity Check (MIC). The WPA and WPAv2 standards are making wireless networks an easier security decision for IT managers everywhere.
Remember these points when implementing encryption on your wireless network:
Keep these points in mind when determining which technology is the best security fit for your environment and when deploying the technology, to maximize your environment's protection.
Hardening Access Points
Just as the border router is the entranceway to your wired network from the Internet, the AP is the entranceway between your wireless and wired networks. In turn, it must be locked down as much as possible to prevent it from being infiltrated. Several major issues must be considered when hardening your AP. Shutting down SSID broadcasts, locking down MAC addresses, disabling unused services, and using strong passwording are all important aspects of securing the access point.
Disabling SSID Broadcasts
One of the things that makes wireless networks great is how easy it is to connect to them. Of course, this is also one of the things that makes securing wireless networks very difficult. By default, most access points are configured to broadcast the Service Set Identifier (SSID), a configurable label on the AP that identifies itself to the wireless client and lets the client know it is an access point.
The wireless networking client in Windows XP will pop up a list of available networks when a wireless host is first connecting to a network. These networks are discovered by the SSID broadcasts sent by their access points. In the early days of wireless, many uninformed network practitioners thought that changing the SSID to something other than the manufacturer's default was a "hardening technique." However, client scanning shows all SSID broadcasts in the area. The only benefit that changing the SSID provides is the prevention of the instant identification of the AP vendor.
Despite the ease of administration broadcasting SSIDs offers, a good way to improve security is to disable SSID broadcasts on all wireless access points. This will help prevent outsiders from easily discovering your access points. On the downside, this means that all wireless clients will need to be manually configured with the SSID of the network they are a part of.
It is important to keep in mind that locking down SSID broadcasts, though a good security step, does not guarantee a secure access point. Attackers with wireless sniffers can still examine communication flows between clients and APs and determine SSID information, even with broadcasts disabled. However, it does prevent your wireless clients from accidentally logging in to the wrong AP, and it prevents outsiders and attackers from accidentally logging on to yours.
However, the use of strong authentication and encryption methods goes a long way to help mitigate the issues caused by SSID broadcasts. It does not matter that an attacker knows your wireless network is there if there are no exploits to run against it and your authentication methods are solid.
MAC Address Lockdown
Another technique that has helped many a network administrator sleep easier at night is the ability to lock down MAC addresses on wireless access points. Some access points include the capability to configure a list of MAC addresses for wireless clients that are allowed to communicate with the AP. At first glance this seems like an almost foolproof way to prevent outsiders from gaining access to your wireless network. However, this unfortunately is not entirely true. Again, this is a good step toward a strong security posture, but with the right equipment this defense can easily be bypassed. All an attacker needs to do is use a wireless sniffer to watch communication flows between a client and AP. Once the attacker records the MAC address of an allowed client, he can easily spoof the MAC address in question and begin communicating with the locked-down AP. He may need to run a DoS (or the like) against the original owner of the MAC address to keep it from interrupting his communications, or he may need to wait for that client to disconnect from the network.
Having to lock down the MAC addresses for all the wireless nodes in a large network is an administrative nightmare. However, in environments where security needs to be maximized, locking down the MAC addresses of nodes adds an additional layer of complexity that an attacker needs to bypass. The more steps an attacker needs to take to compromise your security, the more likely he is to give up.
Miscellaneous AP Hardening
Many additional steps can be taken to help lock down your wireless access point against attacks. First and foremost, always change the default password on the AP before putting it into production. Be sure to follow best practices for a complex password. Also, try to lock down AP management mechanisms as much as possible. Try to disable web management via wireless devices and lock down wired management as much as your AP will allow. If an out-of-band management method is available for your AP, it is highly recommended that you take advantage of it.
Many APs have the ability to bridge themselves to other APs. It is a good idea in a single AP environment to disable this capability. In a multi-AP environment, lock down your APs' intercommunication by MAC address. This can be overcome, as mentioned in the section on MAC address lockdown, but it's still worthy of completion.
As previously eluded to, make sure that up-to-date firmware is installed on a newly purchased AP. Also, track firmware updates that repair security vulnerabilities. Newer firmware versions will support additional security features, more robust and cutting-edge encryption algorithms, and new industry security standards.
Proper passwording, secured management, and up-to-date firmware are all important parts of locking down your access point. Hardening your AP is a key in securing your wireless network.
Defense in Depth for Wireless Networks
Some of the most effective approaches to securing a wireless network don't have anything to do with wireless technologies at all. Many defense-in-depth techniques used in the wired world can be applied with great success with wireless networks. In the following sections we will discuss some important technologies that can take your wireless network's security to the next level.
When it was originally discovered that WEP was broken, many security analysts suggested implementing VPN technologies or host-to-host IPSec on wireless clients. This added an additional layer of confidentiality and authentication between wireless hosts and destination resources. All traffic is encrypted from the client to the destination (including across the wired network) without fear of WEP being cracked. Configuring transport mode IPSec is easily done for all traffic between hosts or just for certain protocols. Also, this requires an additional level of authentication for the client and server to communicate. For more information on IPSec or configuring it for transport mode operation, check out Chapter 7, "Virtual Private Networks."
Many of the host-based defenses in Chapter 10, "Host Defense Components," are very beneficial for the wandering wireless client. Wireless networking technologies expose our clients at Layer 2 and below to assaults from anyone within range. Using host IDS and a firewall on a wireless client are excellent steps to prevent airborne attacks. Both will help you be aware of and defend against an attempted attack, whether you are connected to your office wireless network or on the road. Also, both act as additional "sensors" for your wireless network's security. Hosts may pick up wireless DoS or other attacks before they get to your wired network defenses. Strong host defenses are an important part of keeping your wireless environment secure.