Understanding common wireless LAN attacks
There is little doubt the enterprise Wireless LAN (WLAN) market is booming. Worldwide WLAN hardware revenue is expected to top $3.7bn USD in 2007 (Infonetics), with over 50% of enterprises deploying WLANs by 2006 (Meta Group).
The attraction of wireless is simple: greater mobility, flexibility and communications. With most laptops now fitted with wireless chips, enterprise organizations are finding it especially easy and cost effective to move towards wireless infrastructures. In addition to increasing productivity, enterprises are using wireless to enable new business applications. A hospital, for example, can use wireless to improve patient care by tracking where wheelchairs or cardiologists are located within the campus. More and more, wireless is becoming essential to the way that enterprises do business.
While enterprises may be eager to go wireless, a gung-ho approach to WLAN installation is not an option. Security must be given due consideration. The very nature of Radio Frequency (RF) technology makes Wireless LANs open to a variety of unique RF-related attacks.
In order to effectively safeguard a WLAN from these RF attacks IT managers need to understand the origins of these attacks, the methods by which they are mounted, and the potential risk they present to network resources. The most common types of attack are as follows.
1. Probing and discovery tools
A host of tools have emerged that take advantage of the fact that 802.11 infrastructures rely on network broadcasts to communicate with wireless clients. With these probing and discovery tools, unscrupulous individuals can easily locate, and take advantage of, wireless networks that lack strong security safeguards. One of the most common of these tools is Netstumbler, a Windows-based program that uses active scanning to detect low security access points. Once the access point is detected a number of exploits can be mounted against the network.
2. MAC identity spoof attacks
In an 802.11 WLAN, MAC addresses are openly broadcasted over the air. The security implication is that potential attackers can sniff the air looking for valid MAC addresses associated with authorized WLAN users, access points and even wired infrastructure components, such as switches and routers. Once detected, programs exist to spoof these addresses, whereby intruders can masquerade as a valid WLAN client or access point. Naturally, this can compromise a WLAN if MAC authentication is the only security scheme employed.
3. Denial of service attacks
Because WLANs broadcast over the unlicensed ISM & U-NII public bands with a limited number of available channels, RF interference is a common problem. As interference increases, signal quality and network availability decreases. Malicious individuals can use this to their advantage, debilitating WLAN performance. Common ways of doing this include RF frequency jamming and exploits such as Airjack and void11, which flood the WLAN.
4. Man in the middle attacks
A man in the middle attack results from the interception and possible modification of traffic passing between two communicating parties, such as a wireless client and AP. Man in the middle attacks succeed if the systems can't distinguish communications with an intended recipient from those with the intervening attacker.
5. Static WEP cracking programs
Soon after it was first introduced, the Wired Equivalency Protocol (WEP) was broken due to the fact that WEP uses static keys which can be easily cracked. While these deficiencies were soon corrected with the WiFi Protected Access (WPA) protocol and 802.11i (WPA2), both of which leverage dynamic keys, many WLANs continue to use WEP-based security. As a result, they are still vulnerable to WEP cracking programs.
6. Rogue access point attack programs
A number of "rogue access point attack programs" exist which allow attackers to perform a number of stealth attacks by posing as host access points on a WLAN network.
7. Misconfigured clients
Due to the nature of the 802.11 specification enterprise WLANs are vulnerable to security risks when new hosts or clients enter the network and when ad-hoc networking is allowed. A wired host with an enabled WLAN adapter, for example, could unwittingly connect to an unknown WLAN. An attacker would then be able to compromise the host machine via the open WLAN adapter through routing features on Linux and Windows and mount an attack against the wired connection. Similarly, the overflow of RF signals means that accidental connections can occur with neighbouring WLANs, which can compromise the security of trusted networks.
Mitigating the risks
To effectively mitigate the risks associated with RF related attacks there are a number of safeguards that IT managers should ensure that their intelligent WLAN systems have in place. By creating multiple layers of WLAN security, enterprises can protect themselves from common RF-related attacks and create a highly secure wireless environment that supports business critical applications.
At the most basic level, IT managers should look for a WLAN system that can dynamically optimise and manage RF transmissions in real-time so that coverage does not extend beyond intended areas, a concept known as "RF bleed-over". This will provide better overall RF security and will particularly help mitigate the risk of probing and discovery attacks.
In addition, it is often good policy to disable SSID Broadcasts at the access point whenever possible. The benefit of this is twofold: one, the number of accidental client associations to the WLAN can be significantly reduced since only clients that know the SSID are able to associate to the WLAN and two, casual "war drivers" will be less likely to probe the WLAN since the SSID is "cloaked".
Strong authentication and encryption
There is no substitute for strong authentication and encryption in a wireless network. This helps to convert a wireless LAN from an untrusted to a trusted network. Access Point authentication is key to any WLAN as it prevents unauthorized devices from masquerading as valid APs via MAC spoofing. Built in x.509 certificates, for example, can prevent rogue APs from accessing the wired infrastructure and access points with trusted AP protection prevent authorized clients from associating to rogue APs.
Strong user based authentication is also critical. Solutions like 802.1x, VPNs, PKI certificates, or tokens have proven themselves quite effective at preventing attackers from gaining access to both wireless and wireline networks. Companies looking to install a WLAN systems should look for one that supports dynamic keys using TKIP, such as WPA2 (802.11i). This helps to eliminate many of the security vulnerabilities associated with the original WEP standard.
Attack signature detection and intrusion protection
One of the most critical security solutions for WLANs is a robust real-time intrusion detection and prevention system with integrated attack signatures. With this in place, probing programs and rogue access points can be detected and isolated from the rest of the WLAN before they compromise security. For example, DoS attacks like "Airjack" or "void11" can be easily located, and the WLAN can change channels and adjust power output to mitigate their risks.
Other types of denial of service attacks, such as RF jamming attacks, can be detected by a WLAN system capable of monitoring the received signal strength indication (RSSI) threshold and noise floor levels as well as elevated CRC error count levels at the MAC layer. With RF interference detection, dynamic channel assignment and auto power adjustment, intelligent WLAN systems are able to avoid interference generated by frequency jamming devices.
Client integrity checking
With the proper WLAN security, IT staff can identify the presence of misconfigured WLAN clients and other potential security policy violations before they pose a problem. For example, if clients have open WLAN adapters enabled or Ad-Hoc networking enabled, a "RF aware" WLAN system can identify and locate the devices with configuration violations and dynamically dissociate these devices from the rest of the WLAN, if required. Exclusion lists can prevent that device from re-associating with the WLAN until remediation has taken place.
Monitoring the RF environment can also prevent unwanted accidental client associations by identifying clients that experience these types of associations. Once identified, these clients can be placed on an exclusion list to prevent further connections until the configuration settings have been corrected.
To protect against MAC spoofing attacks an intelligent WLAN system can be configured to automatically detect these attacks and exclude offending machines from the WLAN. This can be done by flagging any occurrence in which the manufacturer name of a detected WLAN adapter differs from the known OUI (Organizationally Unique Identifier) for that equipment. Once detected, an intelligent WLAN system can prevent the known attacker from connecting to any nearby access points or any access points located throughout the entire WLAN. By disallowing spoofed MAC devices onto the WLAN and monitoring RF channel assignments certain types of man in the middle attacks can be thwarted, such as Monkey Jack, which relies on MAC spoofing and unauthorized channel assignment.
Delivering air tight WLAN security
With the proper tools in place, an enterprise wireless network can be as secure, if not more secure, than traditional wireline deployments. The key issue for enterprises is to understand what threats exist, what risks they pose and how to control them. One of the first lines of defence is real-time detection of common physical and MAC layer threats, like the ones identified here. When coupled with intelligent RF management, secure encryption, network access control, and location based security, enterprises have all the tools necessary to confidently deploy business critical applications over their Wireless LANs.
Brian Mansfield is Manager, Product Marketing at Airespace