Home: www.packetnexus.com
Improving WLAN Security As the vulnerabilites of 802.11b wireless networks become widely known and exploits are made available, ISPs need to improve security. We examine tools-and basic security procedures-that are available to everyone. by Lisa Phifer VP Core Competence, Inc. [November 26, 2001] Over the past year, much has been written about the vulnerabilities of 802.11b wireless LANs. Researchers from AT&T Labs, UC Berkeley, Intel [.zip], and University of Maryland have identified holes in Wired Equivalent Privacy (WEP) that let attackers learn the keys used to encrypt 802.11b traffic. Tools like NetStumbler exploit 802.11b behavior, sniffing the airwaves to discover cards, access points, and the peer-to-peer or infrastructure networks in which they participate. AirSnort and WEPCrack even use captured traffic to recover crypto keys. Today, anyone armed with one of these shareware tools, a wireless card, antenna, and GPS is capable of "war driving". First, acknowledge the problem 802.11b vulnerability assessment products are finding opportunity in WEP's misfortune. One company, Cigital, offers assessment services that survey 802.11b access points, identifying correctable configuration weaknesses that range from default Service Set IDs (SSIDs) to risk factors for ARP cache poisoning [.pdf]. NetStumbler and AirSnort are also handy for self-assessment. By roaming around your building or campus, you may discover underground WLANs that you didn't know about. For more systematic, ongoing introspection, consider commercial products like the ISS Internet Scanner and RealSecure IDS, recently enhanced to spot and monitor 802.11b wireless-borne attacks. Next, make the best of WEP War drivers report that just 30 to 40 percent of discovered WLANs now use WEP. For heaven's sake, enable WEP and change your keys frequently! Consider using 802.11b products with dynamic key generation, like Agere's ORiNOCO AS-2000 or NextComm's R7210. Configure long, hard-to-guess SSIDs. Apply MAC filters or use VLANs to restrict access to authorized cards. Track inventory to make sure those cards stay in employee hands, and please block MACs that belong to lost or stolen cards. Lock down access point management interfaces, just as you would on any perimeter router or firewall. Use anti-virus and personal firewall software to keep the wireless client clean, preventing back-channels. By combining firewall defense with IPsec, SSH, or SSL, you can better prevent wireless eavesdropping and block access by unauthenticated clients. For example, many companies have already deployed a SafeNet or Ashley-Laurent VPN client on laptops for secure remote access. The same client can often tunnel IPsec over wireless to a VPN gateway located between the access point and the rest of the corporate network. Alternatively, consider an access point with built-in IPsec, available from vendors like Colubris Networks. When roaming, wireless cards often use DHCP to obtain a new IP from each access point. This can be a problem for network layer solutions like IPsec. If roaming is essential to your 802.11b deployment, consider wireless "VPN" solutions from companies like NetMotion, Columbitech, or Ecutel. These products use servers that run proprietary, WTLS, or Mobile IP protocols to avoid session interruption when a wireless client changes its address. They also offer user-level authentication, which may or may not be present in your IPsec VPN today. For Windows XP, consider using 802.1x 802.11b Open System Authentication is no authentication