Securing wide-open APs
You might have heard about the Public Internet Project, a nonprofit organization devoted to expanding Internet access (for more information about this project as well as all the solutions I discuss in this month's column, check out the Web-exclusive box of additional resources at http://www.winnetmag.com, InstantDoc ID 40706). Last year, the group surveyed 802.11b wireless access in New York City. Figure 1 shows a map of Manhattan based on the group's research. The blue dots, which indicate secure wireless Access Points (APs) with Wired Equivalent Privacy (WEP) enabled, account for less than 30 percent of the mapped APs. The red dots, which indicate the other 70 percent, account for insecure APs open to anyone who cares to use them for Internet access. At first glance, this data might look harmless—after all, an AP owner might choose to make its AP public, right?
Now look at Figure 2, page 24, which is from a war drive I did in my neighborhood in Modesto, California, using Marius Milner's MiniStumbler on a Compaq iPAQ Pocket PC equipped with a Proxim ORiNOCO Gold PC Card wireless network card. The circle-and-padlock symbol indicates secure APs in the area, of which there were relatively few. Even more telling are the AP names, which are actually Service Set Identifiers (SSIDs). No less than 4 of the 12 APs listed are named "linksys," which is the default, out-of-the-box name that most Linksys APs use. In other scans, I found similar numbers of default AP names from other vendors. In almost every case, these devices are wide open without any security and use default administrative settings, which lets any passer-by not only access the Internet but also potentially hack the AP.
Although new security options simplify creating a secure wireless network and ease finding rogue wireless APs, few individuals take advantage of these options. As a result, unsecured APs are spreading like wildfire. After I surveyed my residential neighborhood, I surveyed Modesto's downtown business district, with similar results—many small businesses apparently install APs without ever giving a thought to security. Many Mobile & Wireless UPDATE correspondents report similar results, noting that they've found wide-open APs everywhere, including lawyers' and doctors' offices.
Even worse, these unsecured APs don't appear to be limited to residential PC users and small business owners who don't know any better. A front-page Wall Street Journal story last year detailed the experiences of two hackers who amused themselves by driving through Silicon Valley with a notebook PC connected to a high-gain antenna, successfully hacking into various companies, including Sun Microsystems. Just how sure are you that all the APs in your company are secure?
The problem of wide-open APs potentially affects us all. How many times during the past year have we had to contend with a virus, a worm, and who knows what else that intruders had injected into enterprise servers? Every insecure AP is an open invitation to hackers to do their worst in total anonymity: They can simply drive up within range of the open AP, inject whatever they want, and drive away laughing. And although I don't want to appear alarmist, in a post-9/11 world, we should all remain aware of the risk of terrorism, both physical and electronic. Unsecured APs provide a perfect medium for anonymous communication by anyone with a wireless mobile device and secure email software.
I'm not surprised that so many AP owners inadvertently set APs up in a wide-open state: Security measures on these devices are typically disabled by default, and the documentation rarely provides step-by-step instructions. For that matter, AP WEP-based security is so weak that any determined hacker can beat it. Having said that, I don't think weak security is a reason for not using it, but clearly we need something better.
The IEEE has been working on a new, more advanced wireless standard called 802.11i that will incorporate improved security, and vendors including Linksys are beginning to offer 802.11i-based products. Large organizations have also been implementing a component of another new wireless standard called 802.1x. In contrast to WEP, which requires separate authentication keys at each AP, 802.1x provides pass-through authentication against a central authority—typically a Remote Authentication Dial-In User Service (RADIUS) server, such as Microsoft Internet Authentication Service (IAS) in Windows Server. Administrators can integrate this central authority directly with Active Directory (AD), and this configuration is much less vulnerable to hacking.
Microsoft offers 802.1x wireless authentication support as an add-on to Windows 2000 and a built-in 802.1x client for Windows XP. For earlier OSs, Funk Software's Odyssey provides 802.1x support on most Windows-based systems, including Pocket PC devices.
Although 802.1x solves a major part of the wireless security puzzle for enterprise users, small office/home office (SOHO) users like me are unlikely to set up a RADIUS server in our homes. To solve this problem, the Wi-Fi Alliance introduced Wi-Fi Protected Access. WPA incorporates the 802.1x Extensible Authentication Protocol (EAP) and Dynamic Key Distribution models with a Message Integrity Check feature. For SOHO users, WPA includes a preshared key option (i.e., matching passwords), which eliminates the need for a RADIUS server to authenticate against. In contrast to WEP's static, manually entered keys, WPA automatically distributes cryptographically strong keys on a per-user, per-session, or per-packet basis. Because WPA is a superset of 802.1x, it retains server-based authentication for enterprise use. Unfortunately, to deploy WPA you must have compatible APs and clients. The Wi-Fi Alliance announced the first certified WPA-compatible products on April 29, including APs (and AP reference designs) from Atheros Communications, Broadcom, Cisco Systems, and Intersil and adapters from Intel and Symbol Technologies. Linksys, which offers one of the most common low-end AP and client solutions, recently released for its 802.11g products a firmware update that supports the official 802.11g specification and WPA. You might be able to upgrade your existing AP and adapter firmware to support WPA, so check with your hardware vendor.
In the Meantime ...
While we wait for vendors to supply WPA-compatible hardware, we can take several steps to secure our APs. Most of today's APs provide at least WEP-based security, many let you filter specific media access control (MAC) addresses, and some let you disable public advertisements of the SSID. None of these steps will provide perfect security—WEP is vulnerable to brute-force attacks and MAC addresses can be spoofed—but they'll slow down casual hackers. In addition, you can use a firewall with an AP and monitor the firewall's logs for hack attempts. But before you can take any of these steps, the administrator or AP owner must know that a problem exists.
The most important solution to the problems I've been discussing is education—and that's where readers of this column can help. If you own a notebook PC or handheld mobile device with a wireless card, I urge you to perform a site survey in your office and a war drive around your home. Software to perform these surveys such as NetStumbler is available for free. If you find a rogue AP in your office, you'll want to have a long talk with whomever installed it and make sure that it's properly secured. If one of your neighbors is running a wide-open AP, you might want to have a chat with him or her as well or perhaps leave a copy of this article where that person can find it.
Of course, conducting site surveys of every installation isn't practical for most enterprise IT managers. Instead, they need a software solution that inspects data from the APs, routers, and possibly the wireless mobile devices themselves and automatically alerts the IT staff when the software detects an unauthorized AP. Several software products address this requirement. AirDefense RogueWatch detects wireless APs automatically, in conjunction with the company's proprietary wireless Intrusion Detection System (IDS). AirWave offers optional wireless and wireline rogue AP detection modules as part of its AirWave Management Platform (the wireless module works only with select APs). Wavelink provides rogue AP detection as part of its Wavelink Mobile Manager product—the software generates a report of all APs within range of each mobile device and compares this information against a list of authorized APs. And Cisco Systems has announced that it will provide rogue AP detection in fourth quarter 2003, including a firmware upgrade to Cisco Aironet 1100 and Aironet 1200 series routers, as part of its Structured Wireless-Aware Network initiative.
By taking appropriate steps to secure our own APs and educating the general public about the dangers of leaving residential and SOHO APs wide open, we can bridge the gap until advanced technologies such as WPA and 802.11i become widely available. I think taking these steps is in everyone's interest.
Note: In my August 2003 Mobile & Wireless column, I discussed wireless Voice over IP (VoIP) as a potential mobile killer app. It turns out I'm not alone. Since that column went to press, I've learned that Toshiba will include VoIP software with its Tablet PCs, Pocket PCs, and conventional notebooks, so stay tuned.
"Enterprise Deployment of Secure 802.11 Networks Using Microsoft Windows"
"Overview of the WPA Wireless Security Update in Windows XP"
"Q313664: Recommended Update"
AirWave Management Platform
Cisco Structured Wireless-Aware Network
Wavelink Mobile Manager
IEEE 802.1x draft standard
National Infrastructure Protection Center (NIPC) 802.11b best practices
Public Internet Project 802.11b survey
Wi-Fi Alliance's Wi-Fi Protected Access (WPA)