In the first of part of this series on WLAN testing and troubleshooting, we explore WLAN testing strategies, including using wireless intrusion prevention systems for
fulltime surveillance, as well as other centralized WLAN testing tools. In the second part of this series, we explore WLAN troubleshooting strategies, and in the third part, we examine WLAN performance optimization.
Given the speed and reliability that comes along with 802.11n technology, many companies are launching broader wireless LAN deployments to support new mobility services. But this transition requires more complex and dependable WLAN testing to verify security, connectivity and performance.
Businesses can no longer afford to use labor-intensive tools to query signal strength, server accessibility and Wi-Fi vulnerabilities. Testing hundreds of access points (APs) and thousands of clients, geographically distributed throughout an enterprise network, requires far more efficient automated tools and methods.
In many early Wi-Fi deployments, security meant walking around a building or campus, listening for unfamiliar beacons which indicated the presence of unauthorized rogue APs. Not only was this woefully inefficient, but periodic "stumbling" missed many APs and overlooked other worrisome threats, such as configuration errors and misbehaving clients.
APs with wireless intrusion prevention systems for full-time surveillance
As Wi-Fi grew more popular, many APs were updated to listen for on-channel or off-channel rogues. Dedicated Wireless Intrusion Prevention Systems (WIPS) also emerged to watch the air fulltime for attacks or policy violations and to respond, for example, by temporarily blocking and locating a suspected rogue.
These two approaches, however, have started to merge. Many enterprise APs can now be turned into full-time WIPS sensors when needed, and several AP vendors also offer dedicated WIPS appliances. Increasingly, the debate is no longer how often to scan – 24/7 is the only way to go for businesses that depend on wireless. Instead, streamlining security tasks and meeting compliance mandates have taken center stage.
Centralized WLAN assessment tools ensure compliance
To comply with regulations like PCI DSS or Federal Information Security Management Act (FISMA), organizations must demonstrate the effectiveness of security controls and document suspected breaches. Today, every commercial WIPS and some WLAN managers can generate canned compliance reports for popular industry regulations, but that still leaves the need for assessing these security controls and policies on an ongoing basis.
Many companies hire third-party auditors for on-site to perform assessments; for example, to verify PCI DSS compliance at a sample of a merchant's stores. However, long before that audit, it is a good idea to conduct tests to spot holes and fix them before they can be exploited. Ideally, these self-assessments should occur regularly without consuming a lot of staff time or requiring costly site visits.
This is where centralized assessment tools can help. For example, AirTight Networks offers quarterly PCI scanning and remediation services using a cloud-based WIPS to communicate with on-premise sensors. Those sensors listen to nearby traffic and probe for wireless threats to Cardholder Data Environments (CDEs), producing monthly scan reports (at minimum) as required by PCI DSS 1.2 regulations.
For companies that already host their own WIPS, a plug-in like the wireless vulnerability assessment module, offered by Motorola AirDefense, can turn deployed sensors into remote test engines that can periodically connect to APs, probe for exposed ports and URLs, and generate scan reports to document results.
Automated remote security scans, whether performed by your own WIPS or delivered by a cloud service, can provide low-cost routine self-assessment. However, they are not a substitute for occasional on-site pen-tests conducted by humans.
Non-automated WLAN testing, penetration testing
Looking for blind spots, mistakes and new attacks that could overwhelm clients, APs and WLAN managers is an essential part of WLAN testing. However, this kind of wireless testing has not yet become fully-automated.
For example, MDK3 is a command-line utility that can be used to guess hidden SSIDs and MAC ACLs, look for clients vulnerable to authentication downgrade and send 802.11 Beacon, Deauth and TKIP MIC DoS attacks. Auditors can use MDK3 to easily initiate these penetration tests from various locations, inside and outside an office. However, tools like MDK3 should never be run against a production WLAN during work hours since productive use requires human guidance and result interpretation.
Centralized pen-test tools can often be used to root out upper-layer and system vulnerabilities that contribute to WLAN security. For example, Metasploit scripts can try many different application exploits over wired and wireless LANs. To conduct more efficient Metasploit tests throughout a large network, consider Rapid7's Metasploit Pro, which can orchestrate multi-level remote pen-tests from a central console.
In part 2 of this series on WLAN testing, learn about remote or centralized WLAN troubleshooting.
This was first published in December 2010