Wireless Security Considerations: Common Security Threats to Wireless Networks
With the deployment of wireless LANs in almost any type of environment, the risk of attacks occurring on wireless networks goes up. A number of different reasons are behind this, but it mainly stems from a lack of wireless network knowledge.
Unlike a wired network which requires physical access to a device, a wireless network can be targeted and exploited from a distance. This article reviews some basic wireless security fundamentals and reviews some of the most common threats that exist when deploying wireless networks.
Wireless Security Basics
There are a number of basic fundamentals that a person or company needs to be aware of when deploying a wireless network. The first is a basic understanding of what frequencies will be used by the equipment being deployed; this is very important when deploying a wireless network as it affects the amount of interference that the network will be subject to depending on the specific environment.
At this point in time, there are two main frequency bands that are used for wireless LANs (802.11); these include the 2.4 GHz and 5 GHz bands. From a security perspective, the choice of frequency does not greatly affect the security risk of the network. What it does affect is the number of available non-overlapping channels that are available on the network; for the most part this will not affect security except when an attacker is attempting to jam or block a specific frequency to force wireless endpoints to switch Access Points (AP).
Endpoint devices identify wireless networks using a service set identifier (SSID) along with a set of security parameters. On most wireless deployments, the SSID is broadcast from the APs allowing the clients the ability to easily associate. It is possible to not broadcast the SSID which provides a little protection from those wireless network attackers with little operating knowledge; however for an experienced wireless attacker this is not a very effective security measure.
The real security for a wireless network comes from the selection of a proven security technique, there have been a number of different security techniques deployed that have been broken. As of this writing the most secure technique is IEEE 802.11i which is also known as WPA2. This standard provides two different modes of operation including one typically referred to as Personal or Pre-Shared Key (PSK) and Enterprise:
- WPA2-Personal – utilizes a shared key that is communicated to both sides (AP and client) before establishing a wireless connection; this key is then used to secure the traffic.
- WPA2-Enterprise – utilizes the IEEE 802.1x protocol to authenticate a wireless client using an authentication server before traffic is allowed.
Common Wireless Threats
There are a number of main threats that exist to wireless LANS, these include:
- Rogue Access Points/Ad-Hoc Networks
- Denial of Service
- Configuration Problems (Mis-Configurations/Incomplete Configurations)
- Passive Capturing
Let’s go through each of these in more detail.
• Rogue Access Points/Ad-Hoc Networks
One method that is often used by attackers targeting wireless LANS is to setup a rogue access point that is within the range of the existing wireless LAN. The idea is to ‘fool’ some of the legitimate devices into associating to this access point over the legitimate access points.
To really be effective, this type of attack requires some amount of physical access; this is required because if a user associates with a rogue access point then is unable to perform any of their normal duties the vulnerability will be short lived and not that effective. If an attacker is able to gain access to a physical port on a company network and then hook the access point into this port, it is possible to get devices to associate with the rogue access point and capture data through it for an extended period of time. The exception to this is when the wireless LAN being targeted only provides Internet access; it is much easier for a rogue access point to offer simple Internet access and leave the user unaware of their vulnerability for an extended amount of time.
On the same idea of rogue access points is unauthorized access points (not malicious) and unauthorized ad-hoc networks. In these situations, a legitimate user sets up an access point or ad-hoc network for their use but does not implement proper security techniques which provides an opening for watching attackers.
• Denial of Service
Anybody familiar with network security is aware of the concept of denial of service (DoS). It is one of the simplest network attacks to perpetrate because it only requires limiting access to services. This can be done by simply sending a large amount of traffic at a specific target. Of course, the amount of traffic required to affect a target device can be much higher than the capabilities of a single machine.
However, the flooding of traffic is not the only way to limit access to services; for wireless networks it can be much easier as the signal can be interfered with through a number of different techniques. When a wireless LAN is using the 2.4 GHz band, interference can be caused by something as simple as a microwave oven or a competing access point on the same channel. Because the 2.4 GHz band is limited to only 3 non-overlapping channels (U.S.), an attacker just needs to cause enough interference into these three channels to cause service interruption.
A denial of service attack can also be used in conjunction with a rogue access point. For example, a rogue access point could be setup in a channel not used by the legitimate access point and then a denial of service attack could be launched at the channel currently being used causing endpoint devices to try to re-associate onto a different channel which is used by the rogue access point.
• Configuration Problems
Simple configuration problems are often the cause of many vulnerabilities, this is because many consumer/SOHO grade access points ship with no security configuration. A novice user can set up one of these devices quickly and gain access. However they also open up their network to external use without further configuration.
Other potential issues with configuration include weak passphrases, weak security deployments (i.e. WEP vs WPA vs WPA2), and default SSID usage among others.
• Passive Capturing
Passive capturing is performed by simply getting within range of a target wireless LAN and then listening and capturing data. This information can be used for a number of things including attempting to break existing security settings and analyzing non-secured traffic. It is almost impossible to really prevent this type of attack because of the nature of a wireless network; what can be done is to implement high security standards using complex parameters.
The nature of a wireless network is to provide easy access to end users, but this ease of access creates a more open attack surface. Unlike a wired network that requires an attacker to physically access part of the network, a wireless network only requires that the attacker be in close proximity (and even this is relative).
The best attitude to take towards wireless security it to be constantly vigilant; ensure that the security used on a wireless network is adapted as the standards change to ensure a high level of security.
Hopefully the information within this article will be your starting point in securing your wireless networks. If you’re interested in learning more about wireless networking and wireless security, then take a look at TrainSignal’s Cisco CCNA Wireless Training and CWNA Training which focus on wireless networking and administration.