Properly configure clients and APs and watch out for rogue APs
Wireless networks have become a reality for companies of all sizes. In small and midsized businesses (SMBs), wireless networks' low cost and ease of deployment can make them preferable to wired networks. Larger enterprises view wireless networks as facilitating employees meeting in rooms, lounges, and even cafeterias with their laptops to maintain network connectivity.
Along with the benefits of wireless networks comes a need to keep them secure. Wireless networks that aren't secured allow hackers and others who perhaps only want a free Internet connection virtually unrestricted access to your intranet. Unauthorized wireless networks aren't uncommon in large enterprises—workgroups or end users sometimes ignore corporate policy and install Access Points (APs) to meet a perceived need—but they can introduce a huge risk to the organization. Consider this: Sophisticated spammers and phishers are now leveraging unsecured wireless networks to send out bulk email messages. They drive around large metropolitan areas and business parks looking for vulnerable wireless networks and, when they find one, they configure their mobile systems to connect to that network; obtain a DHCP lease with valid IP address, DNS, and default gateway information; then send out their messages. If you've ever used a tool such as NetStumbler or the built-in wireless management tools available on most laptops and PDAs, you've probably come across unsecured wireless networks in the neighborhood where you live, in the area surrounding your business, or possibly within your own enterprise.
Owners of unsecured networks risk lost bandwidth on their Internet connection, virus and worm infection, and potentially even criminal or civil liability if their unsecured wireless networks are used to launch attacks against others. Let's look at some practical steps you can take to secure your wireless networks, methods to automate configuration-setting deployment, and tools you can use to probe for unsecured and unauthorized wireless networks.
Wireless Network Fundamentals
Before you can secure a wireless network, you need to understand some wireless networking basics. Wireless networks typically comprise APs and clients that have wireless NICs. APs and wireless NICs have transceivers or radios that they use to communicate with each other. Each AP and wireless NIC has a 48-bit media access control (MAC) address, which is functionally equivalent to an Ethernet address. APs bridge the wireless and wired networks, giving wireless clients access to wired networks. It's possible for wireless clients to communicate without an AP in ad hoc networks, but these aren't commonly found in enterprise environments. Every wireless network is identified by an administrator-defined Service Set Identifier (SSID). For wireless clients to communicate with an AP, they must be set to recognize the AP's SSID. If you have multiple APs in your wireless network and they share the same SSID (and the same authentication and encryption settings), your mobile wireless clients can roam among them.
The predominant wireless standard is 802.11 and its amendments. 802.11 defines a network that can operate at speeds up to 2Mbps. Amendments to the standard define faster data rates. The first, 802.11b, is the predominant profile but is fast being replaced by 802.11g. 802.11b wireless networks operate in the 2.4GHz range and offer speeds up to 11Mbps. The second amendment, 802.11a, was actually ratified before 802.11b but took longer to come to market. It operates in the 5.8GHz range and offers standard speeds of 54Mbps, with some vendors offering higher speeds up to 108Mbps in turbo mode. The third amendment, 802.11g, operates in the 2.4GHz range like 802.11b and offers standard speeds of 54Mbps and higher speeds up to 108Mbps in turbo mode. Most 802.11g wireless networks can be used by 802.11b wireless clients due to the backward compatibility that's built into the 802.11g standard, but actual compatibility varies depending on vendors' implementations. Much of the wireless equipment available today supports two or more of the 802.11 amendments. A new wireless standard, 802.16—called WiMAX, is evolving to address a particular need for wireless access to businesses and homes from towers, much like cellular towers, and won't be considered here.
An AP's practical range, or coverage, depends on many factors including the 802.11 amendment and the frequency at which the equipment operates, the manufacturer, power settings, antennae, internal and external walls and fixtures, and topographical features. However, a wireless NIC attached to a high-gain directional antenna might provide access to your AP and wireless network from some considerable distance, perhaps up to a mile or so away depending on conditions.
The very public nature of the radio spectrum presents unique security challenges not present in wired networks. For example, to eavesdrop on communication over a wired network, you need physical access to a network component such as a LAN drop, switch, router, firewall, or host. For a wireless network, you need only a receiver, such as a common scanner.
Because of this openness, wireless standard developers created Wired Equivalent Privacy (WEP), although they made its use optional. WEP relies on a shared secret, or key, known by wireless clients and the APs they communicate with. The key can be used for both authentication and encryption. The encryption algorithm used by WEP is RC4. The length of the key is 64 bits, consisting of 40 user-definable bits and a 24-bit initialization vector. In an attempt to make wireless networks more secure, some wireless equipment manufacturers have developed extensions that support 128-bit and longer WEP keys consisting of 104-bit or longer user-defined keys and the initialization vector. WEP is available on 802.11a-, 802.11b-, and 802.11g-compatible equipment. However, despite the longer key lengths, WEP's flaws (including poor authentication mechanisms and encryption keys that can be broken through cryptanalysis) have been well documented, and WEP is no longer considered secure.
In response to WEP's deficiencies, the Wi-Fi Alliance, an industry body with more than 200 members including Apple Computer, Cisco Systems, Dell, IBM, and Microsoft, developed Wi-Fi Protected Access (WPA). WPA improves WEP by adding the Temporal Key Integrity Protocol (TKIP) and strong authentication that uses 802.1x and the Extensible Authentication Protocol (EAP). WPA was intended to be a working standard that could be submitted for acceptance by the IEEE as an amendment to the 802.11 standards. The amendment, 802.11i, was ratified almost a year ago, and WPA was updated to WPA2 to support use of the Advanced Encryption Standard (AES) instead of WEP with TKIP. WPA2 is backward compatible and will interoperate with WPA. WPA was designed for use in enterprise networks with a supporting Remote Authentication Dial-In User Service (RADIUS) authentication infrastructure, but a version of WPA called WPA Pre-Shared Key (WPA-PSK) is supported by some manufacturers and is designed to be used in smaller environments. Like WEP, WPA-PSK relies on a shared secret, but WPA-PSK is more secure than WEP.
802.1x is often misunderstood. It's used to control access to ports on switches in wired networks and to APs in wireless networks. 802.1x doesn't mandate which authentication technique to use (you can use X.509 version 3 certificates or Kerberos, for example) and doesn't feature encryption or mandate its use.
3 Steps to Security
To secure a wireless network, you can use three mechanisms: Set the client and AP to know and use the same nondefault SSID, set the AP to permit communication only with clients whose MAC addresses are known to the AP, and force the client to authenticate to the AP and encrypt traffic. Most APs are configured with a default SSID, support for maintaining a list of MAC addresses for legitimate clients disabled, and a known shared secret for authentication and encryption purposes (or with no authentication or encryption whatsoever). These settings are usually documented in the online Help available from the manufacturer's Web site. These settings make it easy for an inexperienced user to get a wireless network up and running, but they also make it easy for a hacker to compromise the network. To make matters worse, most APs are configured to broadcast their SSID. Thus, an attacker can browse for default SSIDs to find vulnerable wireless networks.
Your first step in securing your wireless network is to change the SSID from your AP's default setting. You'll also need to change the setting on your clients to ensure connectivity with the AP. Consider setting the SSID to something that's recognizable to you and your users but that doesn't immediately identify your wireless network among other SSIDs that might be detectable to outsiders.
The next step is to consider disabling the AP's announcement of the SSID, if you can. This action makes it harder, but not impossible, for an attacker to discover the presence of your wireless network and the SSID. Some APs won't let you disable SSID broadcasting. In such cases, make the broadcast interval as long as possible. In addition, be aware that some clients can communicate only with APs that broadcast SSIDs. Thus, you might need to experiment with this setting to see what works in your situation.
Next, consider configuring your APs to allow access only to wireless clients with known MAC addresses. This step probably isn't feasible in a large organization, but for small businesses with only a handful of wireless clients, it's an excellent additional layer of defense. Attackers will then need to discover which MAC addresses are permitted to connect to APs in your enterprise and will need to change the MAC of their wireless NIC to a permitted address (note that some wireless NICs allow the MAC address to be overridden).
Choosing authentication and encryption settings can be the most challenging step in securing your wireless network. Before settling on the settings, you'll need to inventory your APs and wireless NICs to find out what security protocols they support, especially if you already have a wireless network in place or have a variety of equipment from different manufacturers. Some equipment, especially older APs and wireless NICs, might not support WPA, WPA2, or longer WEP key lengths.
Another situation to be aware of is that some early equipment requires users to enter a hexadecimal number representing a key, whereas other older APs and wireless NICs ask for a passphrase that's converted into the key, making it difficult to ensure that the same key can be used on all equipment. If you have such equipment, you can use resources such as the WEP Key Generator at http://www.andrewscompanies.com/tools/wep.asp to generate random WEP keys and convert passphrases to hex numbers.
In general, you should use WEP only when absolutely necessary. If you must use WEP, use keys that are as long as possible and consider running your wireless network in Open mode rather than Shared mode. When a network runs in Open mode, no authentication of clients is performed and anyone can connect to your APs. These preliminary connections consume some wireless bandwidth, but attackers who connect to the AP won't be able to communicate further with it because they don't know the WEP encryption key. And you can prevent even the preliminary connections by configuring your AP to accept connections only from known good MAC addresses. In contrast, an AP on a network running in Shared mode uses the WEP encryption key to authenticate wireless clients in a challenge-response exchange, and an attacker can cryptanalyze the authentication sequence to determine the WEP encryption key.
When WPA is an option, you'll need to determine whether to use WPA, WPA2, or WPA-PSK. The determining factor in whether you'll use WPA or WPA2 on the one hand or WPA-PSK on the other is whether you have or can deploy the infrastructure that WPA and WPA2 require to authenticate users. WPA and WPA2 require you to deploy RADIUS servers and possibly a Public Key Infrastructure (PKI). WPA-PSK, like WEP, relies on a shared secret that's known to the wireless client and AP. You can safely use a WPA-PSK shared secret for authentication and encryption because it doesn't suffer from the WEP vulnerability that allows the encryption key to be uncovered through cryptanalysis of the authentication exchange.
As you would expect, APs from different vendors have their own distinctive UIs and configuration methods, so I can't provide one set of detailed instructions that will work for all of them. But the above information should help guide you through configuring your own APs.
Windows Client Configuration
Windows Server 2003 and Windows XP make it easy to configure a client to use wireless networks, especially networks that use WEP. Microsoft introduced the Wireless Zero Configuration service in XP and called it the Wireless Configuration service in Windows 2003. When running, the service monitors wireless NICs for reception of SSID broadcasts from APs. If a broadcast with a known SSID is received and enough configuration information is available, Windows can automatically join the wireless network if configured to do so. The wireless configuration service also gives you a standard dialog box interface for configuring wireless network settings regardless of the wireless NIC installed. Unfortunately, the service doesn't work with all wireless NICs; if it doesn't work with yours, you'll need to disable it and use the driver and configuration toolset that came with your NIC.
To use the configuration service, open the Network Connections Control Panel applet, right-click the wireless NIC item, select Properties, and go to the Wireless Networks tab. Make sure that the Use Windows to configure my wireless network settings option is selected, and click Add to configure a wireless network. Figure 1 shows the dialog box that lets you enter details for a wireless network. Enter the SSID for the wireless network you want to connect to, then select a method for Network Authentication. If you select Open or Shared, your options for the Data encryption field are WEP or Disabled. If you select WPA or WPA-PSK, your data encryption options are TKIP or AES.
When using WEP or WPA-PSK for authentication or encryption, you can enter the authentication or encryption key (to enable the Network key field and Confirm network key field, you'll need to clear the option The key is provided for me automatically). If you have more than one key, select the key number, or index. Some APs and wireless NICs let you store and use up to four keys for flexibility. You might rotate keys weekly, for example, manually selecting the next key on the list each Monday morning.
Locating Rogue APs
As mentioned earlier, rogue APs can present untold risk to the enterprise. But the benefits that an AP can offer plus the ease of installation (especially installation that just uses the default configuration settings) make it highly likely that somewhere, sometime, someone will deploy one on your network.
Finding rogue APs can be problematic but is necessary to maintain effective security. Windows 2003 has a new Microsoft Management Console (MMC) snap-in called Wireless Network Monitor that you can use to log network client activity and to find APs. However, installing Windows 2003 on a laptop just for an MMC snap-in is cumbersome, expensive, and unnecessary. Most laptops and PDAs with built-in wireless NICs come with tools that can be used to detect rogue APs.
If your laptop or PDA doesn't come with such a tool or if you want advanced features such as GPS support (which when used with a directional antenna and a compass lets you triangulate the location of a rogue AP), then you might find a freeware tool such as NetStumbler preferable. Two versions are available from http://www.netstumbler.com/
downloads: one for Windows 2000 and later and one for Windows CEbased devices, called MiniStumbler. Figure 2 shows NetStumbler running on a Dell laptop that has XP Service Pack 2 (SP2) and a Dell TrueMobile 1400 wireless NIC, one of many wireless NICs supported by NetStumbler.
You can use NetStumbler to locate rogue APs simply by running it on a laptop and walking around with the laptop. As NetStumbler detects APs, it displays them on the screen. It provides information such as the AP's MAC address, channel that it listens on, whether encryption is in use, and vendor information. NetStumbler also shows the signal-to-noise ratio (SNR) for the radio signal. The higher the number, the closer you are to the AP.
Before you can detect rogue APs, you need to know the MAC address and SSID of each legitimate AP in use in your enterprise. As you deploy APs, record their MAC address, their SSID, and where you've placed them. As you walk around with NetStumbler, look for APs that have an unfamiliar SSID or an unknown MAC address. As you find them, record your location, then walk in different directions and note in which direction the SNR number increases. If you keep walking in that direction, you'll eventually come across the AP or at least determine the general area in which it's located for a more thorough physical examination at a later date. Don't forget that an AP could actually be located on a floor above or below you.
Be particularly aware that a sophisticated hacker might establish an AP with the same SSID as your network in an attempt to capture unsuspecting users. Once connected to an attacker's AP, legitimate users will attempt to connect to your network's resources such as the email server and Web-based applications. Although they'll be unable to connect to these resources through the attacker's AP, they might be duped into revealing their usernames and passwords before throwing their hands up in frustration. You should train your Help desk staff to be on the lookout for calls about wireless network connectivity problems that might point to such APs and ensure that staffers ask users to report their location. Follow up on reports using NetStumbler or other tools and check the MAC address of all APs in the area to make sure that each is legitimate.
If you find you need more information about securing a wireless network, an excellent resource for businesses of all sizes, and even home users, is the book Deploying Secure 802.11 Wireless Networks with Microsoft Windows by Joseph Davies (Microsoft Press, 2003). You can find information about the book and where to purchase it and you can link to a white paper that updates the book at http://www.microsoft.com/mspress/books/6749.asp. A great online resource is http://www.microsoft.com/windowsserver2003/technologies/networking/wifi/default.mspx. Although this page is in the Windows 2003 section of the Microsoft Web site, it contains links to information for XP.