When it comes to wireless security, considerable attention has been paid to encrypting data, authenticating users, restricting access, and detecting rogue access points (APs). As these network and link defenses improve, however, attackers have started to target lower-hanging fruit: specifically, all of those Wi-Fi-capable laptops, PDAs and handsets that use little or no security. In this tip, we examine how host-resident wireless IPS agents can help you safeguard these Wi-Fi client devices to ensure strong wireless security.
Breaking the weakest link
Many network users accidentally or intentionally engage in high-risk behavior that threatens wireless security. The promiscuous nature of Wi-Fi exacerbates this by automatically probing for nearby devices and connecting to them silently, without user interaction. As a result, many Wi-Fi users routinely expose both their systems and data to unknown, untrustworthy and potentially malicious outsiders.
According to Network Chemistry's Wireless Threat Index, a quarterly analysis of real-life Wi-Fi activity, the vast majority of clients (87%) have associated to unknown APs. This can occur by accident, when over-friendly Windows XP automatically connects to "any available network." It can also occur intentionally, when users associate with neighboring business or metro-area APs to bypass corporate policies that block non-business applications like P2P file sharing or GMail.
Another 63% of clients engage in ad hoc associations -- direct connections to Wi-Fi peers. For example, some users associate with one another to share Internet access, inadvertently exposing their network folders and files as well. Worse, most users do not realize that ad hoc connections can also be formed to any network entry previously used to connect to an AP. When one researcher used common SSIDs like "linksys" to lure fellow airplane passengers into connecting to his ad hoc station, he was able to attack about 20% of those clients through common Windows service ports -- all because those users forgot to disable their unsecured wireless adapters.
Many Wi-Fi clients also put themselves at risk by violating corporate policies and making mistakes. The Wireless Threat Index reports that one in four users accesses WLANs without a personal firewall, one in three has done so without antivirus, and two out of three clients that are required to use a VPN over wireless have deviated from that policy. Countless other users have associated to phony APs that spoof the name of a real hot spot (e.g., "Wayport_Access"). Once a client is lured into connecting to a phony AP (a.k.a. "Evil Twin"), conventional man-in-the-middle attack tools can be run to solicit credit card numbers, logins and passwords and, in some cases, even to intercept SSL or SSH data.
Regaining IT control over wireless security
These "stupid human tricks" demonstrate what most administrators already know: Relying on users to safeguard themselves is a recipe for failure. At a minimum, small businesses should define step-by-step instructions for manual setup of secure Wi-Fi connections. Larger businesses can use install packages, domain login scripts or Active Directory Group Policy objects to push IT-generated Wi-Fi configurations. Either way, Wi-Fi connections should be set to require the appropriate security measures when connecting to trusted SSIDs and discourage connections to other APs or ad hoc peers. For example, you might want to require that connections to the corporate SSID use WPA2-Enterprise with server certificate verification, while permitting open mode connections to the worker's home WLAN in conjunction with an active firewall and VPN client.
This is a good start, but not enough. Most users underestimate risks and disable countermeasures they find inconvenient. Even users who make a good-faith effort to stay secure still make mistakes. Compliance with internal policies or external regulations cannot be ensured without central audit and control capabilities. Inside your office, this can be accomplished by deploying a wireless intrusion prevention system (WIPS). A WIPS uses APs or sensors placed throughout your WLAN to monitor the airwaves. Observations are reported to a central WIPS server that analyzes Wi-Fi traffic, looking for possible attacks, problems and policy violations. Whenever a potential threat is detected -- a worker connects to a neighbor's AP, for example -- the WIPS can take steps to automatically break that connection.
Extending this control beyond the office requires a different solution -- a WIPS program that runs on the Wi-Fi client itself. A host WIPS such as Network Chemistry RFprotect Endpoint, AirTight SpectraGuard SAFE, AirMagnet StreetWISE, or AirDefense Personal can keep a watchful eye on the Wi-Fi client at home, at a public hot spot, in an airport, or even on an airplane.
Keeping an eye on the client
Host WIPS products vary, but all are designed to monitor that host's own wireless activity and compare it with a defined policy. For example, AirMagnet StreetWISE policies define which wireless connection types are permitted: Wi-Fi only, Wi-Fi and Ethernet together, ad hoc Wi-Fi, Bluetooth, and/or infrared. For Wi-Fi connections, the program establishes minimum security levels (WEP-64, WEP-128, WPA) and trusted SSIDs to be displayed by Wi-Fi connection tools.
If an attempted connection would violate these policies, an error message is displayed to warn the user. These basic steps can raise user awareness and discourage users from configuring or accepting new connections that pose risks.
In addition to comparing connections with preferred, known hot spots and black-listed SSIDs, AirDefense Personal watches for attacks aimed at the client. For example, it can spot redirection from one AP to another, major change in signal strength, AP spoofing, and soft APs -- all signs of possible man-in-the-middle attack. When incidents that exceed a defined severity level occur, the program can display an alert, log an alert, and/or disable the at-risk connection.
Several Host WIPS programs can deliver event logs that detail client activities and security alerts to a central server. For example, Network Chemistry RFprotect Endpoint provides the administrator with a dashboard that summarizes WIPS agent status, the kinds of wireless connections that have been used, and attempted policy violations (e.g., connections attempted without VPN protection).
This insight can be used for vulnerability assessment and trend analysis, helping administrators see how offsite workers are actually using Wi-Fi and creating a foundation for deciding whether changes should be made to Wi-Fi settings or WIPS policies.
In fact, one of the biggest challenges that most users face is deciding when and how to change Wi-Fi settings. When a worker takes his new laptop home, he will of course want to connect to his home network. As a traveler roams from hotel to Starbucks to airport, she may want to connect to several new networks. Ideally, these policies would be defined and locked down, eliminating the user from the process, but there are many cases where it is impractical to identify all permitted SSIDs in advance.
For example, AirTight SpectraGuard SAFE offers another option: It helps users make more informed decisions. SAFE employs three profiles that identify minimum security settings, trusted SSIDs and AP MAC addresses appropriate for use at work, at home and elsewhere. A user might never change his administrator-defined "work" profile but still be allowed to create his own "home" profile by following instructions displayed upon first connection to his wireless router.
This approach lets a company decide whether to block connections to unknown APs or allow the user to choose the best course of action, based on the Wi-Fi client's current environment, workforce needs and risk tolerance.
These are just a few of the ways in which a Host WIPS can be used to strengthen Wi-Fi client defenses. These programs are still evolving; detection, enforcement and management capabilities do vary quite a bit beyond the brief illustrations given here. Consider the policy you want to enforce, the client operating system(s) you need to support, and consistency with your on-site WIPS (if any). Individuals and small businesses can use standalone Host WIPS programs that are installed and configured manually. Larger enterprises will prefer an integrated Host WIPS agent that interfaces with a central server for policy configuration, software installation, event logging and/or threat reporting.
About the author:
Lisa A. Phifer is vice president of Core Competence Inc. She has been involved in the design, implementation and evaluation of data communications, internetworking, security and network management products for more than 20 years and has advised companies large and small regarding security needs, product assessment and the use of emerging technologies and best practices.