You know you have to protect your wireless networks from hackers, but you also have to protect it from your employees … and yourself.

Recently I visited a friend of mine, a top attorney dealing in privacy compliance and litigation. As she sat at her wireless laptop with her trusty Palm Pilot and cell phone nearby, I asked her how she secured her wireless devices. “I have no idea,” she replied. “The firm gave me this laptop fully loaded with a wireless card and 30 minutes of training. No one explained anything about wireless security.”

“But you deal in privacy violations,” I said. “Aren’t you afraid that someone might illegally access your laptop or one of your other wireless devices and get information that's supposed to be private?”

“I haven’t really spent any time thinking about that,” said my friend. “After all, we have a security administrator who takes care of all of that, and since I’m totally ignorant about all things technical, it’s probably better if I don’t get involved.”

Companies are increasingly adopting wireless communications for their employees. The security administrator is responsible for securing communications, but wireless options offer employees a plethora of ways to circumvent security policy, intentionally or unintentionally. That’s bad news when most employees, like my lawyer friend, remain uneducated or undereducated about the possibilities of security violations.

The Wireless Threat
Simply by being airborne, your WLAN opens itself to intruders and attacks. The 802.11 standard from the Institute of Electrical and Electronics Engineers (IEEE) defines the physical layer and media access control (MAC) layer for WLANs. All the base stations, or access points to the network, communicate with each other using the 802.11, or Wi-Fi, protocol. It operates at a 2.4-GHz frequency that is unregulated by governments and that the walls of buildings cannot completely constrain.

According to Rob Markovich, president and CEO of Network Chemistry, “Malware and hackers target WLANs because they are the new low-hanging fruit of the IT world. It’s relatively easy to exploit an open AP or divert a laptop to a hacker’s wireless device.”

Sometimes Users Open the Door
There are many types of wireless threats, some of which are facilitated by improper employee use.

  • Problem: Sniffing.

This is a common threat. Any eavesdropper who can listen to wireless transmissions can pick up unencrypted messages. Sniffing no longer requires highly specialized technical skills. Sophisticated and easy-to-use sniffers make the process relatively simple. A packet sniffer captures all packets leaving over single or multiple ethernet connections, analyzes them and reveals the data inside. Capturing packets containing user IDs and passwords is a relatively simple way to steal an authorized user’s identity. Since the wireless LAN user is not restricted to the physical area of the company or to a single access point, WLANs can permit unauthorized users access from public locations that offer no protection.

  • Solution. By using monitoring software or VPN-like encryption and network management features, you can tighten and enforce strong access control to the corporate network. Companies such as Senforce and Bluesocket provide such solutions.
  • Problem: Denial of Service Attacks (DoS).

DoS attacks pose a real threat even when attackers cannot gain access to a WLAN. During a DoS, attackers flood the WLAN with static noise that causes wireless signals to collide and produce CRC errors. Such attacks significantly slow or shut down the WLAN. WLAN users can even cause unintentional DoSs by concurrently using a 2.4-GHz cordless phone or placing access points near devices that generate interference, such as microwaves.

  • Solution. Monitoring WLANs and discovering performance problems is a first step in dealing with DoS attacks. Network Chemistry, Apani and Broadcom all provide products that help prevent DoS attacks.
  • Problem: Rogue APs.

These are unauthorized wireless access points (WAPs). It’s so easy and inexpensive for employees to install a WLAN on their own—just use a WLAN card and attach a WAP—that security administrators are constantly finding unauthorized, employee-installed wireless connections to their corporate laptops. In many cases the administrators don’t find these connections until the network is compromised. Gartner claims that by August 2001, 20 percent of all enterprises had rogue WLANs attached to their corporate networks by authorized network users. Rogue APs clearly subvert corporate security policies and put the network in danger.

  • Solution. Frequent physical site audits are a good security measure. This type of audit involves the IT staff manually walking through the premises, using a software stack or specified devices to detect rogue APs. However, such audits can be expensive and time consuming, and employees who find out about them in advance can disconnect their illegal devices and avoid detection. Naturally, it’s important that management keep these audits a secret and weigh the cost against the anticipated results to determine if they are cost-effective.

Some WLANs now offer rogue detection and/or rogue containment that prevents clients from effectively using identified rogue APs, allowing IT staff time to take physical action. IBM’s WAS is a recommended automated tool. NetStumbler, AirSnort and Air Magnet also provide tools that find and eliminate rogue APs.

  • Problem: Lack of Awareness. Sometimes inside breaches occur because employees knowingly compromise the network, but they can just as easily occur because employees are careless or because they simply don’t understand how to keep transmissions secure. The lawyer friend I mentioned at the beginning of this article is not an atypical employee; she assumed everything was being taken care of by IT and she had no need to worry about precautions.
  • Solution. Increase employee awareness training and emphasize written security policies. Require written permission to connect to the WLAN, restrict the trading of MP3 and video files, and recognize unusual traffic on the WLAN.

Technology solutions can also help alleviate this problem. Senforce’s Wi-Fi Security monitors all endpoint devices including notebooks, desktops, and tablet PCs to ensure they comply with corporate security policies governing Wi-Fi network connectivity and security. This takes the guesswork out of policy compliance for both employees and administrators.

Sometimes Administrators Don’t Close the Door
Even when employees know and follow all the rules, wireless security can still be compromised by a few common administrative oversights. Be on the lookout for these.

  • Problem: Incorrectly Configured Access Points. These are a significant hole in WLAN security. When network administrators use service set identifiers (SSIDs) as passwords to verify authorized users, access point configuration errors allow attackers to steal the SSID as they’re being broadcast and impersonate authorized users.
  • Solution. The corporate password policy should be applied to SSIDs. Through methods based on transport layer security (TLS), access points need to prove their identity before clients provide authentication credentials, and credentials should be protected by strong cryptography for transmission over the air. Only when 802.11 MAC adopts per-frame authentication will session hijacking be solved. Funk Software and Air Defense have products for determining and correcting incorrectly configured access points.
  • Problem: Insecure Network Configuration. Insecure network configuration includes lack of authentication, weak or no encryption, and default passwords that make networks vulnerable. Since 802.11 networks do not authenticate frames, attackers can use spoofed frames to redirect traffic and corrupt ARP tables. Weak encryption is a common problem since the wired equivalent protocol (WEP) can be compromised. WEP is an encryption algorithm that can be invoked to encrypt transmissions between the wireless user and his WAP.
  • Solution. Only by recognizing these weaknesses and instituting proper controls can the administrator secure the network. One of the ways this can be done is by instituting regular physical site audits. Another way is by using a user authentication mechanism. Wireless security should be configured according to the layered defense concept, preferably with 128-bit advanced encryption standard.

VPN solutions can be deployed to provide strong authentication and protect traffic in transit across the radio link. Among the commonly used cryptographically secure authentications are TLS, protected EAP (PEAP) and tunneled TLS (TTLS). Via Technology, Certicom, Cisco and Nokia all provide solutions to this problem.

Future Trends
Gartner analysts say that companies are delaying implementing wireless local area networks because of the hype about potential threats. By the end of 2005 Gartner estimates that mobile malware will penetrate about 10 percent of smart phones and personal digital assistants.

Since the most effective way of blocking mobile malware is to block it at the network rather than at the device level, John Pescatore, vice president and Gartner Fellow, suggests that companies request wireless service providers to document existing and planned capabilities. He foresees all wireless service providers being required to provide over-the-air mobile malware protection by 2006. Such a requirement may be the solution to an increasing problem facing users as Wi-Fi usage increases.

D.E. Levine, CISSP, CFE, FBCI, CPS is a contributing editor to ST&D and co-author of several security books. She can be reached at [email protected].