A past article entitled Wireless LAN Management
discusses how Wireless LAN (WLAN) technology deployments have increased and how federal regulations (such as HIPAA, Sarbanes Oxley and Gramm-Leach-Bliley) related to security
have driven organizations towards management of the WLAN. What wasn't covered was what should be managed from a WLAN perspective to ensure that an organization stays in compliance with federal regulations.
This article will outline some of the basic measures for managing a WLAN. I tend to put everything within the context of the federal regulations, so bear with me on that front.
The federal regulations insist that each organization provide mechanisms for controlling access to the network, controlling who can access the network and ensuring that the data traversing the network is secured.
Many organizations read this as security for a snapshot in time, but there needs to be ongoing management of the WLAN environment to ensure that it can withstand and prevent intrusion as well as detect intrusion attempts. My last article discussed why this is needed, but did not really explain what is needed. There are multiple facets of monitoring a WLAN environment. However, if you move forward with processes that account for the security vulnerabilities and threats listed in the table below you will be in good shape regarding WLAN management that can pass a compliance audit.
|Source ||Security risk & vulnerability|
|Insecure access points
|| The default configuration of access points is insecure. Access points are preconfigured with a default password, which is readily available in the public domain. By default, access points are configured to broadcast service set identifiers (SSIDs) and do not require any encryption or authentication. When deployed with default configuration, access points may facilitate unauthorized access to both the wireless and the wired corporate network.
Intruders configure their devices to function as an access point and mislead users into connecting to the same, thereby compromising the users' machine and gaining unauthorized access to critical business information as well as the machine's MAC address, SSID and other passwords.
|| Using specialized software, a global positioning system (GPS) unit, and a notebook computer with wireless capabilities, "war-drivers" move through a city while scanning the airwaves for "leaking" wireless network transmissions. War drivers scan for the SSIDs of access points and configure their devices to resemble a legitimate user of the network, thereby gaining unauthorized access.
The special war-driving software maintains information regarding the latitude, longitude, and configuration of the access points detected along the driver's route.
|| Denial-of-service (DoS) attacks prevent users from accessing network resources. DoS attacks occur at various layers of the OSI stack.
A DoS attack at the physical layer occurs when the 2.4 GHz radio frequency spectrum is flooded with noise and illegitimate traffic using any radio transmitting device. Wireless equipment based on the 802.11 standard operates at a certain signal-to-noise ratio, and when the ratio drops below that threshold, the equipment is unable to communicate, thereby denying access to all users.
Wireless clients are typically configured to connect with the access point transmitting the strongest signal. A DoS attack at the Data Link layer occurs when an attacker spoofs the SSID of an access point and transmits with increased signal strength. Clients automatically associate with the spoofed access point and are denied access to legitimate resources. Additionally, the attacker can examine the captured traffic to decipher the Wired Equivalency Protocol (WEP) key used to authenticate and encrypt traffic.
At the network layer, a DoS attack occurs when an attacker floods a wireless network with large ping requests or other unauthorized traffic.
A DoS attack may also occur if an attacker exploits the Extensible Authentication Protocol (EAP) to flood the authentication server with fake requests, thereby preventing valid users from authenticating to the wireless network. In addition, this attack may affect the enterprise-wide wired network.
|| A "man-in-the-middle" (or bucket brigade) attack breaks the network connection between authorized users and access points, resulting in eavesdropping and possible data manipulation.
An attacker sends a de-authorization command to a user machine forcing it to drop its association with its AP and search for a new AP. The user machine detects the attackers' malicious machine, configured to resemble an AP, and associates with it. Exploiting the information obtained from the captured user machine, the attacker associates its malicious machine with the legitimate network AP. As a result, all legitimate wireless network traffic is routed through the attacker's machine, enabling the attacker to access and manipulate all business-related information.
|| Companies often rely on media access control (MAC) addresses to establish the identity of authorized users over the corporate network. Attackers may change their machine's MAC address to impersonate a legitimate network user and gain unauthorized access to critical business information.
Attackers employ various methods to obtain authorized MAC addresses from the network, such as a brute force attack that deploys software to generate strings of random numbers until a valid MAC address is recognized.
|Weak security protocol
|| Security risks arise due to publicly known flaws in the WEP security protocol. WEP deploys static shared secret keys. An attacker eavesdropping on network traffic over an extended period can determine the key, rendering security measures ineffective.
Additionally, WEP offers weak encryption functionality. WEP deploys a short value range for its initialization vector (IV). As a result, the IV value is repeated over time. In a large network with heavy traffic, the IV duplication would occur sooner. An attacker capturing data frames over time may be able to decipher the encryption key.
|Rogue access points
|| Individual departments or end users may deploy personal access points to enhance wireless connectivity or to enable intra-departmental connectivity. These "rogue" access points, often not adequately configured to prevent unauthorized access and intrusion, may compromise the enterprise-wide business network.|
These are the basics. Your WLAN management solution may be able to provide site survey assistance or virtual modeling of an environment for site survey purposes. You can also include the ability to configure your APs in the management platform or audit and inventory the environment. These are "nice-to-haves." The basics I outlined above are the must-have basics as they define your ability to adhere to any compliance audits.
Robbie Harrell (CCIE#3873) is the National Practice Lead for Advanced Infrastructure Solutions for SBC Communications. He has over ten years of experience providing strategic, business and technical consulting services. Robbie resides in Atlanta, and is a graduate of Clemson University. His background includes positions as a Principal Architect at International Network Services, Lucent, Frontway and Callisma.
This was first published in February 2006