Something old: 802.11a/b/g standards
Like yesterday's 802.11a/b/g standards, the
The good news: All 802.11n WLANs built from scratch can forget about WEP crackers and WPA (TKIP MIC) attacks, because every 802.11n device can encrypt data with AES. The catch: WLANs that must support both old 802.11a/b/g clients and new 802.11n clients may be forced to permit TKIP. Doing so makes it possible for older non-AES clients to connect securely. Unfortunately, 802.11n prohibits high-throughput data rates when using TKIP.
It is therefore best to split old 802.11a/b/g clients and new 802.11n clients into separate SSIDs: a high-throughput WLAN requiring AES (WPA2) and a legacy WLAN that allows TKIP or AES (WPA+WPA2). This can be done by defining two SSIDs on a virtual AP or by dedicating different radios on dual-radio APs. This is only a stop-gap measure, however. As soon as you can retire or replace those legacy devices, do away with TKIP to improve both speed and security.
Something borrowed: WPA2's strengths
802.11n inherits WPA2's strengths -- and weaknesses. 802.11a/b/g and 802.11n devices can use AES to prevent wireless data frame eavesdropping, forgery and replay. 802.11a/b/g and 802.11n APs can use 802.1X to connect authenticated users while denying access to strangers. However, 802.11n still cannot stop intruders from sending forged management frames -- an attack method used to disconnect legitimate users or masquerade as "evil twin" APs.
As a result, new 802.11n networks must remain vigilant to wireless-borne attacks. Very small WLANs can still use periodic scans to detect rogue APs, while business WLANs should use full-time wireless intrusion prevention systems (WIPS) to stop rogues, accidental associations, unauthorized ad hocs, and other Wi-Fi attacks.
Existing WLANs that employ one or both of these security practices cannot rest on their laurels, however. 802.11n devices reach twice as far as their 11a/b/g counterparts. Rogue, neighbor, or metro-area APs that were too distant before could now become a threat. Not only will intruders be able to connect to your WLAN more easily, but legitimate users will be more likely to connect accidentally to outsiders. Given a choice between your old 11ag AP and a faster 802.11n rogue, promiscuous "connect to any available network" clients will go for the rogue every time.
In short, 802.11n's expanded reach exacerbates the frequency of conventional wireless security incidents and exposes weak configurations that rely on poor performance. Worse, existing 11a/b/g-based WIPS sensors could miss many incidents entirely. Every 802.11n rollout should include a WIPS upgrade to monitor the new WLAN's bigger footprint, analyzing 11a/b/g and n traffic on 20 MHz and 40 MHz channels in both bands.
Something new: 802.11n brings new security threats, complexity
Every new technology introduces a few undiscovered threats; an innovation as significant as 802.11n is likely to be no exception.
802.11n devices are new products that may contain a few undiscovered bugs. For example, early versions of the Netgear WN802T AP did not correctly parse zero-length (null) SSIDs (WVE-2008-0010). Atheros drivers used in new 802.11n APs (like the Linksys WRT350N) did not correctly handle certain management frame information elements (WVE-2008-0008). Such vulnerabilities are not unusual; WLAN administrators simply need to keep up with security advisories and firmware/driver upgrades.
802.11n options are also considerably more complex, increasing the likelihood of misconfiguration. For example, there are dozens of possible high-throughput data rates, each associated with a combination of capabilities and parameters that must match on both ends. In most cases, misconfiguration causes suboptimal performance -- this might not seem like a security issue, but it can affect availability. In extreme cases, a misconfigured 802.11n AP could result in denial of service to neighboring WLANs. Education and in-situ analysis are needed to find and fix these problems.
Finally, 802.11n introduces a few new MAC frames, one of which has been found to be exploitable. Specifically, 802.11n provides more efficient support for streaming applications by confirming receipt of several data frames using one block acknowledgment. A denial-of-service (DoS) attack can be launched against 802.11n WLANs by sending forged block acknowledgments to the receiver (WVE-2008-0006). An 802.11n-capable WIPS may detect this attack, but the only way to avoid it is to stop using the Add Block-ACK (ADDBA) feature.
Raising the stakes
Fortunately, all of today's wireless network security best practices still apply to 802.11n. It's important to realize, however, that 802.11n may also raise business risk simply by supporting more users and applications across larger areas. In short, the same old attacks may now be far more disruptive to your business.
Ultimately, 802.11n networks can be made just as secure as -- if not more secure than -- yesterday's 11a/b/g networks. All it takes is awareness and follow-through. In this tip, we've explored the ways in which 802.11n can affect WLAN security. Now it's your turn to provide that follow-through.
About the author:
Lisa Phifer is President and co-owner of Core Competence, a consulting firm focused on business use of emerging network and security technologies. At Core Competence, Lisa draws upon her 27 years of network design, implementation, and testing experience to provide a range of services, from vulnerability assessment and product evaluation to user education and white paper development. She has advised companies large and small regarding use of network technologies and security best practices to manage risk and meet business needs. Lisa teaches and writes extensively about a wide range of technologies, from wireless/mobile security and intrusion prevention to virtual private networking and network access control. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.
This was first published in March 2009