WLAN 802.11b Security FAQ

From: Christopher Klaus (cwkpublic@iss.net)
Date: 12/30/02


From: "Christopher Klaus" <cwkpublic@iss.net>
Date: Mon, 30 Dec 2002 10:11:32 -0500

Wireless LAN Security FAQ

By Christopher W. Klaus of Internet Security Systems (ISS). Please
send corrections, additions, and new questions to cwkpublic@iss.net.

Version 1.6 - Last Updated September 30th 2002
     _________________________________________________________________

                                   Contents

     * [0] Where do I get the latest version of this Wireless LAN
       Security FAQ?
     * [1] What is the overview of Wireless LAN 802.11 technology?
          + [1.1] When will 802.11a arrive and how will the security be
            different than 802.11b?
          + [1.2] What is an Access Point?
          + [1.3] How much does the equipment for wireless 802.11b cost?
          + [1.4] Are companies the only wireless targets by attackers?
          + [1.5] Where can you find wireless 802.11 networks?
          + [1.6] How does the antenna affect wireless LAN security?
               o [1.6.1] How do I build a cheap and effective antenna?
          + [1.7] Can you spot a laptop with wireless 802.11 capability
            by looking for the antenna?
     * [2] What are the major security risks to 802.11b?
          + [2.1] What are Insertion Attacks?
               o [2.1.1]Plug-in Unauthorized Clients
               o [2.1.2]Plug-In Unauthorized Renegade Base Stations
          + [2.2] What are Interception and monitoring wireless traffic
            attacks?
               o [2.2.1] Wireless Sniffer
               o [2.2.2] Hijacking the session
               o [2.2.3] Broadcast Monitoring
               o [2.2.4] ArpSpoof Monitoring and Hijacking
                    # [2.2.4.1] Hijacking SSL (Secure Socket Layer) and
                      SSH (Secure Shell) connections
               o [2.2.5] BaseStation Clone (Evil Twin) intercept traffic
          + [2.3] What are AP and Client Misconfigurations?
               o [2.3.1] Server Set ID (SSID)
                    # [2.3.1.1] What are the default SSID's?
               o [2.3.2] What is Secure Access Mode?
               o [2.3.3] Bruteforce Base Station SSID
               o [2.3.4] Can the SSID be encrypted?
               o [2.3.5] By turning off the broadcast of SSID, can
                 someone still sniff the SSID?
               o [2.3.6] Wired Equivalent Privacy (WEP)
                    # [2.3.6.1] Attacks against WEP
                    # [2.3.6.2] Default WEP Keys
                    # [2.3.6.3] How Large is WEP Keys
               o [2.3.7] SNMP community words
                    # [2.3.7.1] SNMP Vulnerabilities
               o [2.3.8] Configuration Interfaces
               o [2.3.9] Client side security risk
               o [2.3.10] Installation Risk
          + [2.4] What is Jamming?
               o [2.4.1] 2.4 GHz Interfering Technology
          + [2.5] What are Client to Client Attacks?
               o [2.5.1] Filesharing and other TCP/IP service attacks
               o [2.5.2] DOS (Denial of Service)
               o [2.5.3] Hybrid Threats
          + [2.6] War Driving Access Point Maps
          + [2.7] Parasitic Grids
     * [3] What are solutions to minimizing WLAN security risk?
          + [3.1] Wireless Security Policy and Architecture Design
               o [3.1.1] Basic Field Coverage
          + [3.2] Treat BaseStations as Untrusted
          + [3.3] Base Station Configuration Policy
               o [3.3.1] 802.1X Security
          + [3.4] Base Station Discovery
               o [3.4.1] Honeypots - FakeAP
          + [3.5] Base Station Security Assessments
          + [3.6] Wireless Client Protection
     * [4] Who is making 802.11 Security Solutions?
          + [4.1] 802.11 Gateway Infrastructure
          + [4.2] 802.11 Security Analysis Tools
     * [5] About Internet Security System's Wireless 802.11b Solution
     * [6] Acknowledgements
     _________________________________________________________________

Recent Updates

   Version 1.6
     * Added new war driving maps.
     * Updated 802.11a as being now available.
     * Added how large is WEP key information.
     * Added acknowledgements section
     * Added Honeypots - FakeAP
     * Add basic field coverage strategy

   Version 1.5
     * Added all of Netgear's default WEP keys.
     * Added Pringles Can and Waveguide Antenna Info.
     * Added hybrid threats, next-gen virus/worm spread by wireless.
     * Added Parasitic Grids. Free anonymous access for intruders.
     * Added SNMP vulnerabilities.
     * Added 802.1X Security, and its flaws.
     * Added MiniStumbler, Wireless Scanner, BlackICE PC Protection.
     * Added info on Broadcast pings.

   Version 1.3
     * Added Section 1.7 regarding internal antenna.
     * Added link to Cigital regarding ArpSpoofing. Cigital put together
       a nice diagram of the attack.
     * Added Default WEP key for NetGear AP.
     * Added link to BSD version of AirSnort.

   Version 1.2
     * Added where this WLAN Security FAQ can be found.
     * Cleaned up the formatting
     * Added better indexing, added hyperlinks between index and content
     * Added link to article on wireless LAN antennas

   Version 1.1
     * Added NetStumbler, WEPCrack tools, Added WEP insecurity paper
     * Added Ecutel, BlueSocket, and NetMotion as WLAN Sec. Products
     * Updated Accuracy of WEP description and made it clear that SSID
       not being encrypted.
     * Added Broadcast of SSID turned off can still be circumvented.
     * Added Addtron's default SSID, a popular AP
     * Added War Driving AP maps.
     * Added 802.11 ArpSpoof, a technique used by ISS X-Force Consulting.
     * Added hijacking SSH and SSL connections via wireless.
     * Added 2 X-Force Advisories on Wireless 802.11 flaws

   Version 1.0
     * First draft
     _________________________________________________________________

   [0] Where do I get the latest version of this Wireless LAN Security FAQ?

     * The most current version is on the Web at
       http://www.iss.net/wireless
     * It will be regularly posted to issforum@iss.net
       (http://www.iss.net/maillists).

     * It will be posted to the following Usenet newsgroups:
     * comp.security.misc,comp.security.firewalls,comp.security.unix,
     * comp.std.wireless,comp.dcom.sys.cisco,comp.dcom.sys.nortel,
     * comp.dcom.telecom

          [1] What is the overview of Wireless LAN 802.11 technology?

   Wireless LAN technology standard 802.11b has the strongest momentum to
   becoming the main standard for corporate internal wireless LAN
   networks. The bandwidth of 802.11b is 11 mbits and operates at 2.4 GHz
   Frequency. The successor of this current 802.11b standard is 802.11a
   and it is designed to be faster speed and operate at a different
   frequency. While 802.11a standard and the technology behind it has
   become available, 802.11b is still widely used today and many
   companies and individuals are deploying it or deploying dual 802.11b
   and 802.11a devices.

   As more wireless technology is developed and implemented, the
   complexity of the types of attacks will increase, but these appear the
   standard main methods used to break and attack wireless systems. These
   attacks may be very similar against other wireless type technologies
   and is not unique to 802.11b. By understanding these risks and how to
   develop security solution for 802.11b, this will be a good
   stepping-stone for providing a good secure solution to any wireless
   solution.

[1.1] When will 802.11a arrive and how will the security be different than
802.11b?

   Most manufacturers of wireless technologies have come out with 802.11a
   technology now. The specifications for the protocols of 802.11a are
   very similar to 802.11b, therefore many of the security risks are
   shared for both 802.11a and 802.11b. Many of the security issues
   around 802.11b will continue to be an issue with 802.11a, therefore by
   understanding current issues will help organizations deal with future
   issues as well.

[1.2] What is an Access Point?

   The AP (access point also known as a base station) is the wireless
   server that connects clients to the internal network. Base stations
   typically act as a bridge for the clients. There is an IP address for
   management configuration of the base station. The base stations
   typically have an SNMP agent for remote management.

[1.3] How much does the equipment for wireless 802.11b cost?

   Base stations have become relatively inexpensive, approximately under
   $300US. The 802.11 client cards for PDAs, laptops, and desktops are
   approximately under $100US. Because of inexpensive equipment to get
   into wireless, attackers can get easy access to the tools necessary to
   apply the attack. Because of the inexpensive price, within many
   companies employees can purchase wireless equipment without approval
   and deploy this in a rogue fashion, creating additional risk.

[1.4] Are companies the only wireless targets by attackers?

   While this FAQ focuses on the risk issues from a corporate network
   perspective, these same issues apply to home networks and
   telecommuters that are using wireless. As the corporate networks are
   allowing in remote users, these remote users may be using wireless at
   their end-point to connect in. In this case, even if wireless
   capabilities have not been installed on the corporate network, they
   may still be affected by the risk that their remote employees are
   using wireless at home or on the road.

[1.5] Where can you find wireless 802.11 networks?

   Airports, hotels, and even coffee shops like Starbucks are deploying
   802.11 networks so people can wirelessly browse the Internet with
   their laptops. As these types of networks increase, this will create
   additional security risk for the remote user if not properly
   protected.

[1.6] How does the antenna affect wireless LAN security?

   Because the intruder must be within range of the signal, a properly
   selected and positioned antenna within a building can minimize how far
   the signal can reach and therefore reduce leakage and interception.
   For selecting different antenna designs for appropriate signal
   reception, here is an article on wireless antennas:
     * Antennas Enhance WLAN Security in Byte Magazine, October 2001.
     * http://www.byte.com/documents/s=1422/byt20010926s0002/1001_marshal
       l.html

   [1.6.1] How do I build a cheap and effective antenna?

   There are many people who are building cheap antennas with various
   cheap cans bought at the grocery store including the Pringles can and
   beef stew cans. The waveguide cans appear to be significantly
   stronger in strength. Here is a good guide to building Pringles and
   waveguide antennas:
     * 802.11b Homebrew Antenna Shootout
     * http://www.turnpoint.net/wireless/has.html

[1.7] Can you spot a laptop with wireless 802.11 capability by looking for the
antenna?

   Many major computer manufacturers are now supporting built in wireless
   802.11 capability and many new laptops are building an internal
   wireless antenna. The physical antenna will not be easy to spot on all
   laptops.

               [2] What are the major security risks to 802.11b?

   Here is the list of main known security risks with 802.11b:
     * Insertion Attacks
     * Interception and monitoring wireless traffic
     * Misconfiguration
     * Jamming
     * Client to Client Attacks

[2.1] What are Insertion Attacks?

   The insertion attacks are based on placing unauthorized devices on the
   wireless network without going through a security process and review.

  [2.1.1] Plug-in Unauthorized Clients

   An attacker tries to connect their wireless client, typically a laptop
   or PDA, to a basestation without authorization. Base stations can be
   configured to require a password before clients can access. If there
   is no password, an intruder can connect to the internal network by
   connecting a client to the base station.

  [2.1.2] Plug-in Unauthorized Renegade Base Station

   Many companies may not be aware that internal employees have deployed
   wireless capabilities on their network. An internal employee wanting
   to add their own wireless capabilities to the network plugs in their
   own base station into the wired intranet. This is a risk if the base
   station has not been properly secured. This could lead to the
   previously described attack of unauthorized clients then gaining
   access to unauthorized base stations, allowing intruders into the
   internal network. Typically, companies may need a policy against
   allowing employees to add wireless base stations onto the corporate
   network without requesting permission and going through a security
   process. A sophisticated intruder may physical place a base station on
   the victims' network to allow them remote access via wireless.

[2.2] What are Interception and monitoring wireless traffic attacks?

   These interception and monitoring attacks are popular on broadcast
   wired networks like Ethernet. The same principles apply to wireless.

  [2.2.1] Wireless Sniffer

   An attacker can sniff and capture legitimate traffic. Many of the
   sniffer tools for Ethernet are based on capturing the first part of
   the connection session, where the data would typically include the
   username and password. An intruder can masquerade as that user by
   using this captured information. An intruder who monitors the wireless
   network can apply this same attack principle on the wireless.

   One of the big differences between wireless sniffer attacks and wired
   sniffer attacks is that a wired sniffer attack is achieved by remotely
   placing a sniffer program on a compromised server and monitor the
   local network segment. This sniffer based attack can happen from
   anywhere in the world. Wireless sniffing requires the attacker to
   typically be within range of the wireless traffic. This is usually
   around 300 feet range, but wireless equipment keeps strengthening the
   signal and pushing this range further out.

  [2.2.2] Hijacking the session

   If an attacker can sniff the wireless traffic, it is possible to
   inject false traffic into a connection. An attacker may be able to
   issue commands on behalf of a legitimate user by injecting traffic and
   hijacking their victim's session.

  [2.2.3] Broadcast Monitoring

   If a base station is connected to a hub rather than a switch, any
   network traffic across that hub can be potentially broadcasted out
   over the wireless network. Because the Ethernet hub broadcasts all
   data packets to all connected devices including the wireless base
   station, an attacker can monitor sensitive data going over wireless
   not even intended for any wireless clients.

  [2.2.4] ArpSpoof Monitoring and Hijacking

   Normally, in regards to an AP, the network data traffic on the
   backbone of a subnet would be treated similarly like a network switch,
   thus traffic not intended for any wireless client would not be sent
   over the airwaves. This could reduce significantly the amount of
   sensitive data over the wireless network.

   An attacker using the arpspoof technique can trick the network into
   passing sensitive data from the backbone of the subnet and route it
   through the attacker's wireless client. This provides the attacker
   both access to sensitive data that normally would not be sent over
   wireless and an opportunity to hijack TCP sessions. Dsniff is a
   popular tool that enables arpspoofing and is available at:
   http://www.monkey.org/~dugsong/dsniff/

   and Cigital has a diagram depicting the attack available at:
   http://www.cigital.com/news/wireless/arppoison.gif

   [2.2.4.1]Hijacking SSL (Secure Socket Layer) and SSH (Secure Shell)
   connections.

   By using arpspoofing technique, an attacker can hijack simple TCP
   connections. There are tools that allow for hijacking SSL and SSH
   connections. Typically, when SSL and SSH connections get hijacked, the
   only alert to the end-user is a warning that the credentials of the
   host and certificate have changed and ask if you trust the new ones.
   Many users simply accept the new credentials, thus allowing an
   attacker to succeed. A reasonable interim measure to prevent the
   attack is to have users enable SSH's StrictHostKeyChecking option, and
   to distribute server key signatures to mobile clients.

   The Dsniff FAQ explains how to hijack in detail SSH and HTTPS
   connections: http://www.monkey.org/~dugsong/dsniff/faq.html

  [2.2.5] BaseStation Clone (Evil Twin) intercept traffic

   An attacker can trick legitimate wireless clients to connect to the
   attacker's honeypot network by placing an unauthorized base station
   with a stronger signal within close proximity of the wireless clients
   that mimic a legitimate base station. This may cause unaware users to
   attempt to log into the attacker's honeypot servers. With false login
   prompts, the user unknowingly can give away sensitive data like
   passwords.

[2.3] What are AP and Client Misconfigurations?

   By default, all the base stations analyzed out of the box from the
   factory were configured in the least secure mode possible. Adding the
   proper security configuration was left up as an exercise to the
   administrator to lock down. Unless the administrator of the base
   station understands the security risks, most of the base stations will
   remain at a high risk level. The analysis of three base station models
   by the leading 802.11 vendors lead to many configuration issues that
   should be audited and assessed by the organization. The top three base
   station vendors analyzed were Cisco, Lucent, and 3Com. The security
   risks identified may change in newer versions of the 802.11 solution
   as it is evolving rapidly. Each vendor had different implementation
   security risks, but the underlying issues are the same and can be
   applied to other vendors not listed here.

  [2.3.1] Server Set ID (SSID)

   SSID is a configurable identification that allows clients to
   communicate to the appropriate base station. With proper
   configuration, only clients that are configured with the same SSID can
   communicate with base stations having the same SSID. SSID from a
   security point of view acts as a simple single shared password between
   base stations and clients.

    [2.3.1.1] What are the default SSID's?

   Each of the base station models came with default SSIDs. Attackers can
   use these default SSIDs to attempt to penetrate base stations that are
   still in their default configuration. Here are some default SSIDs:
     * "tsunami" - Cisco
     * "101" - 3Com
     * "RoamAbout Default Network Name" - Lucent/Cabletron
     * "Default SSID"
     * "Compaq" - Compaq
     * "WLAN" - Addtron, a popular AP
     * "intel" - Intel
     * "linksys" - Linksys
     * "Wireless"

  [2.3.2]What is Secure Access mode?

   Lucent has Secure Access mode. This configuration option requires the
   SSID of both client and base station to match. By default this
   security option is turned off. In non-secure access mode, clients can
   connect to the base station using the configured SSID, a blank SSID,
   and the SSID configured as "any".

  [2.3.3] Bruteforce Base Station SSID

   Most base stations today are configured with a server set id (SSID)
   that acts as a single key or password that is shared with all
   connecting wireless clients.

   An attacker can try to guess the base station SSID by attempting to
   use a bruteforce dictionary attack by trying every possible password.
   Most companies and people configure most passwords to be simple to
   remember and therefore easy to guess. Once the intruder guesses the
   SSID, they can gain access through the base station.

   The SSID could be obtained through one of the wireless clients
   becoming compromised or an employee resigns knowing the key, there is
   risk that anyone with the SSID could still connect to the base station
   until the SSID is changed. If there are many wireless users and
   clients, it can become problematic to scale this security solution if
   the SSID needs to be changed frequently and all clients and base
   stations need to reconfigured with an updated shared single SSID each
   time.

  [2.3.4] Can the SSID be encrypted?

   WEP, the encryption standard for 802.11, only encrypts the data
   packets not the 802.11 management packets and the SSID is in the
   beacon and probe management messages. The SSID is not encrypted if WEP
   is turned on. The SSID goes over the air in clear text. This makes
   obtaining the SSID easy by sniffing 802.11 wireless traffic.

  [2.3.5] By turning off the broadcast of SSID, can someone still sniff the
  SSID?

   Many APs by default have broadcasting the SSID turned on. Sniffers
   typically will find the SSID in the broadcast beacon packets. Turning
   off the broadcast of SSID in the beacon message (a common practice)
   does not prevent getting the SSID; since the SSID is sent in the clear
   in the probe message when a client associates to an AP, a sniffer just
   has to wait for a valid user to associate to the network to see the
   SSID.

  [2.3.6] Wired Equivalent Privacy (WEP)

   WEP can be typically configured in 3 possible modes:
     * No encryption mode
     * 40 bit encryption
     * 128 bit encryption

   WEP, by default out of the box, all base station models analyzed have
   WEP turned off. 64 bit encryption versus 128 bit encryption provides
   no added protection against the known flaw in WEP.

   Most public wireless LAN access points (i.e., airports, hotels, etc)
   do not enable WEP. Based on statistical analysis in regions like New
   York, San Francisco, London, Atlanta,

   most companies do not turn on WEP security on their APs. If the AP
   does not enable WEP, the wireless clients can not use the WEP
   encryption.

   In some base stations, it is optional whether the encryption is
   enforced. The WEP encrypted may be turned on, but if it is not
   enforced, a client without encryption with the proper SSID can still
   access that base station.

    [2.3.6.1] Attacks against WEP

   802.11b standard uses encryption called WEP (Wired Equivalent
   Privacy). It has some known weaknesses in how the encryption is
   implemented.

   Papers on WEP Insecurities
     * Researchers at Berkeley have documented these findings at:
     * http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html
     * Using the Fluhrer, Mantin, and Shamir Attack to Break WEP
     * http://www.cs.rice.edu/~astubble/wep/wep_attack.html

   Using WEP is better than not using it. It at least stops casual
   sniffers. Today, there are readily available tools for most attackers
   to crack the WEP keys. Airsnort and others tools take a lot of packets
   (several million) to get the WEP key, on most networks this takes
   longer than most people are willing to wait. If the network is very
   busy, the WEP key can be cracked and obtained within 15 minutes.

   The fix for encryption weakness for the standard is not slated to be
   addressed before 2002.

   Because of the WEP weakness, wireless sniffing and hijacking
   techniques can work despite the WEP encrypted turned on.

   There is the IEEE 802.1X standard which allows network access to be
   authenticated and keys to be distributed. This allows access to APs to
   be authenticated and WEP keys to be distributed and updated. More APs
   are starting to support this standard.

  [2.3.6.2] Default WEP Keys

   The NetGear Access Point uses the following 4 WEP sequences as default
   keys.
     * 10 11 12 13 14
     * 21 22 23 24 25
     * 31 32 33 34 35
     * 41 42 43 44 45

   It is recommended not to use the default WEP keys.

   Please e-mail cwkpublic@iss.net if you know of other default WEP keys
   for Access Points.

  [2.3.6.3] How Large is WEP Keys

   The original 802.11 specification defined a 40-bit key. This key is
   combined with a 24 bit quantity known as the "initialization vector"
   (which is created automatically by the wireless network hardware) and
   these 64 bits are used within the RC4 encryption in order to produce
   the encrypted data. Some vendors describe this as 64-bit encryption
   (since technically RC4 is using 64 bits), but others describe it as
   40-bits
   (since the initialization vector is public unencrypted data so it does
   not contribute to the security of the system). Therefore 40-bit and
   64-bit WEP keys are the same thing, just being described from
   different points of view. Most 802.11 hardware now supports a larger
   104-bit key; this also has a 24-bit initialization vector and so it is
   also sometimes marketed as a 128-bit system.

  [2.3.7] SNMP community words

   Many of the wireless base stations have SNMP (Simple Network
   Management Protocol) agents running. If the community word is not
   properly configured, an intruder can read and potentially write
   sensitive information and data on the base station. If SNMP agents are
   enabled on the wireless clients, the same risk applies to them as
   well.

   By default, all three base stations are read accessible by using the
   community word, "public". With the default of most base stations using
   the community word "public", potentially sensitive information can be
   obtained from the base station.

   By default, the 3com base station has write access by using the
   community word, "comcomcom". Cisco and Lucent/Cabletron require the
   write community word to be configured by the user before it is
   enabled.

   [2.3.7.1] SNMP vulnerabilities

   Many implementations of SNMP were found to be vulnerable by using the
   PROTOS tool developed by University of Oulu . This affected many
   vendors, many of which produce wireless access points. Check with
   your vendor and see if there is a firmware patch regarding SNMP
   vulnerabilities. For more information on the testing tool for finding
   SNMP issues, check here:
     * http://www.ee.oulu.fi/research/ouspg/protos/
     * http://www.iss.net/security_center/alerts/advise110.php

  [2.3.8] Configuration Interfaces

   Each base station model has its own interfaces for viewing and
   modifying the configuration. Here are the current interface options
   for each base station:
     * Cisco - SNMP, serial, Web, telnet
     * Lucent / Cabletron - SNMP, serial (no web/telnet)
     * 3Com - SNMP, serial, Web, telnet.

   3com base station lacks any access control from the web interfaces for
   reading the configuration options. By connecting to the 3com base
   station web interface, it provides SSID on the "system properties
   menu" display. An attacker who finds a 3com base station web interface
   can easily get the SSID.

   3com base station does require a password on the web interface for
   write privileges. The password is the same as the community word for
   write privileges, therefore 3com base stations are at risk if deployed
   using the default, "comcomcom" as the password. This gives an attacker
   easy write access.

  [2.3.9] Client side security risk

   For the clients connecting to the base station, they store sensitive
   information for authenticating and communicating to the base station.
   If the client is not properly configured, access to this information
   is available.
     * Cisco client software stores the SSID in the Windows registry.
       Cisco stores the WEP key in the firmware, which is difficult to
       gain access to.
     * Lucent/Cabletron client software stores the SSID in the Windows
       registry. The WEP is stored in the Windows registry but it is
       encrypted. The encryption algorithm is not documented.
     * 3Com client software stores the SSID in the Windows registry. The
       WEP key is stored in registry with no encryption.

   Windows XP has 802.11 configuration and has a display of the available
   SSID's built-in to the OS.

  [2.3.10] Installation Risk

   By default, all installations are optimized for the quickest
   configuration to get users successful out of the box. Inversely, by
   default, the installations are configured the least secure mode as
   possible.

   From out of the box experience, Cisco was simple and easiest to
   install. 3Com installation was straight forward out of the box. And
   Lucent/Cabletron had many firmware upgrades which led to confusion on
   which upgrades to install.

[2.4] Jamming

   Denial of service attacks for wired networks are popular. This same
   principle can be applied to wireless traffic, where legitimate traffic
   gets jammed because illegitimate traffic overwhelms the frequencies,
   and legitimate traffic can not get through.

  [2.4.1] 2.4 GHz Interfering Technology

   An attacker with the proper equipment and tools can easily flood the
   2.4 GHz frequency, so that the signal to noise drops so low, that the
   wireless network ceases to function. This can be a risk with even
   non-malicious intent as more technologies use the same frequencies and
   cause blocking. Cordless phones, baby monitors, and other devices like
   Bluetooth that operate on the 2.4 GHz frequency can disrupt a wireless
   network.

[2.5] What are Client to Client Attacks?

   Two wireless clients can talk directly to each other by-passing the
   base station. Because of this, each client must protect itself from
   other clients.

    [2.5.1] Filesharing and other TCP/IP service attacks

   If a wireless client, like a laptop or desktop, is running TCP/IP
   services like a web server or file sharing, an attacker can exploit
   any misconfigurations or vulnerabilities with another client.

    [2.5.2] DOS(Denial of Service)

   A wireless client can flood another wirelss client with bogus packets,
   creating a denial of service attack. An attacker and sometimes
   employees unintentionally can configure their client to duplicate the
   IP or MAC address of another legitimate client causing disruption on
   the network.

   [2.5.3] Hybrid Threats

   Next generation virus and worms have become a multi-vector attack
   programs that self-propagate through any TCP/IP interface including
   wireless. If one computer on a wireless network is infected with a
   hybrid threat, this threat can easily spread to other wireless
   computers and potentially internal computers behind the wireless
   network.

[2.6] War Driving Access Point Maps

   As people are "War Driving", and locating the APs and recording the
   GPS coordinates of the AP location, these AP maps are being shared to
   any attacker on the Internet. If a company has their AP location and
   information shared on the Internet, their AP becomes a potential
   target and increases their risk. They usually include a visual map and
   a database query tool for locating various AP's. Here are some popular
   places to upload War Driving AP maps.
     * http://www.netstumbler.com.
     * http://www.wigle.net
     * http://www.wifimaps.com

   [2.7] Parasitic Grids

   From article, "An underground movement to deploy free wireless access
   zones in metropolitan areas is taking hold... The movement, called
   by some the "parasitic grid" and by others more simply the "free metro
   wireless data network," has already installed itself in New York; San
   Francisco; Seattle; Aspen, Colo., Portland, Ore., British Columbia;
   and London..." This provides attackers and intruders completely
   anonymous access. Trying to locate and trace attackers using the
   parasitic grid becomes an impossible task.
     * http://www.infoworld.com/articles/hn/xml/01/08/24/010824hnfreewire
       less.xml

           [3] What are solutions to minimizing WLAN security risk?

   There are many options that organizations can do today to put proper
   security protection around their wireless strategy and technology.

[3.1] Wireless Security Policy and Architecture Design

   Many organization need to develop a wireless security policy to define
   what is and what is not allowed with wireless technology. From a
   holistic view, the wireless network should be designed with the proper
   architecture to minimize risk.

   [3.1.1] Basic Field Coverage

   Because of wireless leakage, one of the first principals to basic
   field coverage is to only provide coverage for the areas that you want
   to have access.
   By using directional antennas and lowering the transmit power (on
   commercial class equipment - i.e., Cisco and Lucent), 85% (or higher)
   of the typical 802.11 signal leakage can be effectively eliminated.

[3.2] Treat BaseStations as Untrusted

   From an network security architecture, the base stations should be
   evaluated and determined if it should be treated as an untrusted
   device and need to be quarinteed before the wireless clients can gain
   access to the internal network. The architecture design may include a
   Wireless DMZ. This WDMZ includes appropriately placing firewalls,
   VPNs, IDSes, vulnerability assessments, authentication requirements
   between access point and the Intranet.

[3.3] Base Station Configuration Policy

   The wireless policy may want to define the standard security settings
   for any 802.11 base station being deployed. It should cover security
   issues like the Server Set ID, WEP keys and encryption, and SNMP
   community words. Turning off broadcast pings on the Access Point
   makes it invisible to 802.11b analysis tools like NetStumbler.

   [3.3.1] 802.1X Security

   Windows XP and many hardware vendors are building in 802.1X security
   standards into their Access Points. This provides a higher level of
   security than the typical WEP security. The 802.1x standard has a key
   management protocol built into its specification which provides keys
   automatically. Keys can also be changed rapidly at set intervals.
   Check to see if your Access Points support 802.1X.

   There have been some security flaws noted by security researches in
   802.1X standard. This points out the need for good VPN technology
   despite this new standard. Here is a document that outlines the issues
   in 802.1X security:
     * http://www.cs.umd.edu/~waa/1x.pdf

[3.4] Base Station Discovery

     * From a wired network search, an organization could identify
       unknown and rogue base stations by searching for SNMP agents. The
       rogue base stations are identified as 802.11 devices through SNMP
       queries for host id.
     * Some base stations have a web and telnet interface. By looking at
       the banner strings of these interfaces, this provides another
       method of identifying some 802.11 devices.
     * An additional means is by using unique TCP/IP attributes like a
       fingerprint, it can help identify devices as base stations. Most
       TCP/IP implementations have a unique set of characteristics and
       many OS fingerprinting technologies use this method for
       identifying the OS type. This concept can be applied to the base
       stations.
     * From a wireless network search, an organization can identify these
       rogue base stations by simply setting up a 2.4 GHz sniffer that
       identifies 802.11 packets in the air. By looking at the packets,
       you may find the IP addresses to help identify which network they
       are on. In a densely populated area with many businesses close
       together, running a sniffer may pick up more the intended
       organization's traffic, but a close neighboring company.

   [3.4.1] Honeypots - FakeAP

   Black Alchemy's Fake AP generates thousands of counterfeit 802.11b
   access points. Hide in plain sight amongst Fake AP's cacophony of
   beacon frames. As part of a honeypot or as an instrument of your site
   security plan, Fake AP confuses Wardrivers, NetStumblers, Script
   Kiddies, and other undesirables.
     * http://www.blackalchemy.to/Projects/fakeap/fake-ap.html

[3.5] Base Station Security Assessments

   An organization can examine and analyze the base station
   configuration. A security audit and assessment could determine whether
   the passwords and community words are still default or easily guessed
   and if better security modes have been enabled like encryption.

   With router ACLs and firewall rules, an organization can minimize
   access to the SNMP agents and other interfaces on the base station. A
   security assessment can determine how widely accessible is the
   configuration interfaces to the base stations are allowed to within
   the organization.

[3.6] Wireless Client Protection

   The wireless clients should be assessed for having the following
   security technologies:
     * firecell (distributed personal firewalls) - lock down who can gain
       access to the client.
     * VPN - adds another layer of encryption and authentication beyond
       what 802.11 can provide.
     * intrusion detection - identify and minimize attacks from
       intruders, worms, viruses, Trojans and backdoors.
     * desktop scanning - identify security misconfigurations on the
       client.

                 [4] Who is making 802.11 Security Solutions?

[4.1] 802.11 Gateway Infrastructure

     * BlueSocket: The WG-1000 Wireless Gateway(TM) offers a single
       scalable solution to the security, quality of service (QoS) and
       management issues facing enterprises and service providers that
       deploy wireless LANs based on the IEEE 802.11b and Bluetooth(TM)
       standards.
     * EcuTel: Viatores Secure WLAN edition is different from legacy
       virtual private networks (VPNs) in that it maintains VPN and
       application sessions uninterrupted with no configuration or
       re-boot required. Viatores combines two advanced protocols for
       mobility and security to enable roaming from LANs to WLANs and
       between WLAN subnets seamlessly and securely. Application sessions
       and security tunnels are maintained while the user moves from one
       subnet to another. Roaming users can communicate easily with
       colleagues, regardless of where they are or how they are
       connected, because Viatores maintains a single network address.
       Viatores Secure WLAN edition includes:
          + Industry-strength secure communication well beyond the WEP
            standard;
          + Seamless roaming from wired to wireless networks and between
            different wireless networks;
          + Support for two-way, peer-to-peer communication;
          + Data confidentiality and integrity, including key exchanges,
            digital signatures, and industry-strength encryption;
          + Option to upgrade to secure and seamless roaming from public
            networks.
     * NetMotion Wireless - NetMotion Mobility provides a VPN designed to
       work with WLAN security.
       http://www.netmotionwireless.com/resource/whitepapers/netmotion_se
       curity.asp has an overview of wireless security and how NetMotion
       Mobility(TM) prevents unauthorized users from accessing your
       system and stops eavesdropping, replay, and other network-level
       attacks.

[4.2] 802.11 Security Analysis Tools

     * AirSnort is a wireless LAN (WLAN) tool that recovers encryption
       keys. It operates by passively monitoring transmissions, computing
       the encryption key when enough packets have been gathered.
       AirSnort will work for both 40 or 128 bit encryption.
          + http://freshmeat.net/projects/airsnort/
          + http://www.dachb0den.com/projects/bsd-airtools.html
     * WEPCrack is a to ol that cracks 802.11 WEP encryption keys using
       the latest discovered weakness of RC4 key scheduling.
          + http://sourceforge.net/projects/wepcrack
     * Network Stumbler scans for networks roughly every second and logs
       all the networks it runs into--including the real SSIDs, the AP's
       MAC address, the best signal-to-noise ratio encountered, and the
       time you crossed into the network's space. If you add a GPS
       receiver to the notebook, it logs the exact latitude and longitude
       of the AP. Network Stumbler does not use promiscuous mode. Thus,
       by simply turning off broadcast pings hides the Access Point from
       NetStumbler. Now NetStumbler website includes a PocketPC
       MiniStumbler.
          + http://www.netstumbler.com/
          + http://www.netstumbler.com/download.php?op=getit&lid=21
            PocketPC MiniStumbler
     * Internet Scanner 6.2, the market leading network vulnerability
       assessment tool, was the first to assess many 802.11b security
       checks. 802.11 checks are in several X-Press Updates (XPU 4.9 and
       4.10). This is done by doing assessing via the wired network and
       contacting the management interface.
     * Wireless Scanner 1.0, designed to look for security issues via the
       802.11b airwaves. Has a penetration testing mode and discovery
       mode. Uses promiscuous mode, thus capable of capturing the raw
       802.11b packets for forensics analysis and replay. Even if
       broadcast pings are turned off, Wireless Scanner will still catch
       any Access Points if it sends any kind of traffic due to using
       promiscuous mode.
          + http://www.iss.net/download/ Evaluation copy of Wireless
            Scanner.
          + https://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/home.php
            WS1.0 Knowledge Base
     * RealSecure 6.0, the market leading IDS, was the first to monitor
       many 802.11b attacks. Recommend to make sure you are up to the
       latest X-Press Updates. 802.11 checks for IDS were in XPU 3.1.
       Recommend putting IDS behind the Access Point, directly on any
       servers and desktops behind the access point, as well as, on any
       wireless clients.
     * BlackICE PC Protection 3.5, personal firewall with IDS capability,
       is used on wireless laptops and desktops to protect against client
       to client attacks.

        [5] About Internet Security System's Wireless 802.11b Solution

   ISS offers the comprehensive wireless security solution:
     * Wireless Security Assessments and Penetration Testing
     * Wireless Policy Design and Workshops
     * Vulnerability Scanning with specific 802.11 configuration checks
     * Intrusion Detection for Wireless LAN networks
     * Wireless 802.11 Security Classes
     * ISS X-Force Advisories:
          + http://xforce.iss.net/alerts/advise83.php 802.11 SNMP Auth.
            Flaw
          + http://xforce.iss.net/alerts/advise84.php WEP Key exposed via
            SNMP

                             [6] Acknowledgements

   This FAQ is written and maintained by Christopher Klaus. The following
   people have
   contributed to the FAQ. Their contributions are deeply appreciated.
     * Skip Carter
     * Gunter Ollmann
     * Jim Broome
     * Phil Brass

   Copyright 2001, Internet Security Systems. All rights reserved.

   This document may be redistributed only in its entirety with version
   date, authorship notice, and acknowledgements intact. No part of it
   may be sold for profit or incorporated in a commercial document
   without the permission of the copyright holder. Permission will be
   granted for complete electronic copies to be made available as an
   archive or mirror service on the condition that the author be notified
   and that the copy be kept up to date. This document is provided as is
   without any express or implied warranty.

****
Christopher W. Klaus
Founder and CTO
Internet Security Systems
Email: cwkpublic@iss.net



Relevant Pages

  • WLAN 802.11b Security FAQ
    ... Wireless LAN Security FAQ ... complexity of the types of attacks will increase, ... While this FAQ focuses on the risk issues from a corporate network ...
    (comp.security.firewalls)
  • WLAN 802.11b Security FAQ
    ... Wireless LAN Security FAQ ... complexity of the types of attacks will increase, ... While this FAQ focuses on the risk issues from a corporate network ...
    (comp.security.firewalls)
  • WLAN 802.11b Security FAQ
    ... Wireless LAN Security FAQ ... complexity of the types of attacks will increase, ... While this FAQ focuses on the risk issues from a corporate network ...
    (comp.security.firewalls)
  • WLAN 802.11b Security FAQ
    ... Wireless LAN Security FAQ ... complexity of the types of attacks will increase, ... While this FAQ focuses on the risk issues from a corporate network ...
    (comp.security.unix)
  • WLAN 802.11b Security FAQ
    ... Wireless LAN Security FAQ ... complexity of the types of attacks will increase, ... While this FAQ focuses on the risk issues from a corporate network ...
    (comp.security.unix)