Naturally, most of security protections of wired networks can be applied to wireless networks. However, as seen before, some specific attacks are due to the radio aspect and need adapted tools and defences described hereafter.
Figure 2. Rebound attack
Hacker Network mobile station Network accesspoint
Network connection
0
Wireless Local Area Network Security
• Network Monitoring: A good defence is to observe the network in order to be informed if “something strange” occurs.
° The IDS: An intrusion detection system (IDS) especially designed for wire- less, is generally used against network intrusions. An IDS correlates several suspect events, and tries to determine if they could be due to an intrusion. The IDS is integrated in the Wi-Fi switch and works in real time. It monitors all exchanges and Wi-Fi flows in order to
detect as soon as possible any risk or abnormal event. In case of detection, it alerts the network administrator. Enhanced systems are able to detect weak WEP, Rogue AP’s and wireless bridges. They can also locate devices responsible of DoS attacks and detect spoofing or ASLEAP (tool used to crack LEAP) attacks. These functions are based on information hold by the Wi-Fi switch, enhanced by each occur- ring event: connection, authentication, roaming or modification of equipment characteristics.
° Traffic monitoring: A particularly ef- ficient prevention against spoofing is to observe in permanence the Wi-Fi traffic and the traffic on the wired network in order to detect any inconsistent situa- tion. The goal is to detect an unforeseen device–access point or station–or the duplication of a station or access point, or the changing of location of an access point. To do that, a solution is to check that the traffic generated by well-known Wi-Fi stations goes through the appro- priate LAN’s. Another mean is joining the indication of radio link level to the MAC address of each mobile station: if a MAC address appears at a same time with two different levels, the mobile is
quarantined and an alert is sent to the network administrator.
Devices that supervise communication flows check that communications is- sued from AP do not reach the network by an illicit circuit–typically a Rogue AP. Conversely, they check that these communications appear on the wired network after having crossed the pro- tection equipment (firewall or switch) and are not diverted to a pirate network via a Fake AP.
° Radio monitoring: Wi-Fi working mode imposes that an AP can just op- erate on the radio channel at which it has been attached and, consequently, it cannot supervise other channels. To do that, passive monitoring access points, in reception only, scan all radio chan- nels in order to check the correct op- eration of neighbouring access points. Monitoring AP’s are able to detect and monitor low-level signals issued from relatively far devices. Thus, they cover a larger range than active AP’s. The traffic of monitoring AP is carried to the switch that checks that no mobile station is connected to an unreferenced AP.
Radio monitoring ensures also the pro- tection of wired networks against illicit radio communications (Rogue AP). In this case, the Network Administrator deploys a radio network just to detect illicit Wi-Fi transmissions.
° Forced detachment: A frequently used defence is to force the detachment of suspect stations or stations attached to a suspect AP. The Wi-Fi network is not reachable again by pirate stations that are unable to set up a complete connection. This feature brings an ef- ficient protection but the problem must
Wireless Local Area Network Security
be definitively solved by an interven- tion on the station or AP origin of the danger. Tools facilitate the localisation of involved devices.
° Audit of radio coverage: When in- stalling the access points, it is impor- tant to check that the radio coverage does not spread in a long range from the required area, even if this does not completely prevent from hackers who use amplifiers that provide them radio signal far beyond the nominal coverage. Adequate location of ac- cess points and antennas provides an optimal coverage. This coverage must be periodically checked afterwards, to make sure that no pirate access point has been added to the network (Rogue AP). This precaution is also for wired networks. Some users having had the surprise to discover a radio coverage that they never installed.
• Network Engineering
° The switch: If the access points are connected on a hub and not on a switch, any data directed to any fixed or mobile station is broadcasted on the radio net- work and thus, can be intercepted by a sniffer. It is strongly recommended to deploy WLAN’s on switches instead of hubs and to control the traffic between the mobile stations and the wired net- work.
There are two types of WLAN archi- tectures:
▪ The first one is based on a standard switch. Access points integrate radio networking and security functions. The switch manages both fixed and mobile stations. ▪ The second one is based on a
WLAN-dedicated switch that manages radio, networking and security functions. Access points
are used just as emitters/receptors. This second configuration has a better resistance against Rogue- AP attacks, because adding an AP needs an intervention on the switch.
Note that ideally the WLAN switch should manage several queues to provide flow control with QoS, typically for the transmission of voice over IP.
° Firewall: As for wired networks, the best protection is to install a firewall between the WLAN and the wired network. When present, it is integrated in the WLAN switch. This firewall shall manage protections at addressing level, provide filters, log connections, manage access control list (ACL) used for access filtering, monitor the con- nections (« stateful » characteristic), in order to maintain the same security level as on a wired network. All devices in relation with the wireless network (in and out of the enterprise) shall be considered as insecurity points. They must be installed in a DMZ and VPN authentication and encryption mecha- nisms activated.
° VLAN: A precaution is to split the network in order to isolate strategic data from the radio network. For that, the WLAN is deployed on a dedicated virtual LAN (VLAN) structure. The network may contain several VLAN’s, each of them associated to a WLAN subnet with its own SSID.
Radio subnets are installed in the De- Militarized Zone (DMZ) of a firewall that controls the transactions between the radio network and the wired net- work.
It is strongly recommended to connect all VLAN’s on the WLAN switch,
Wireless Local Area Network Security
even if no traffic has to transit through the switch. By this means, the switch locates all devices, updates its network description database and detects abnor- mal flow or equipment on a segment where it should not appear.
° Honey pot: The WLAN configuration may integrate honey pots made by ac- cess points with a poor protection that can just give access to insignificant data. They will attract hackers and keep them out of the protected network. ° VPN: The Virtual Private Network
(VPN) provides a ciphered tunnel that constitutes an efficient protection, in particular for users in unsecured areas, like public hot spots. A VPN protects the link in the same way as done for a wired nomad station via a telephone modem. The VPN ensures encryption and mutual authentication and protects the traffic between the client station and the Wi-Fi switch. This last one man- ages the end point of all clients VPN and delivers a safe traffic to the LAN at which it is connected.
• Mobile station configuration
° Forbid « ad hoc » networking: Mobile stations, as well as fixed ones equipped with Wi-Fi option, shall be configured for rejecting ad-hoc connections, that is, forbid direct connections that do not go through a network access point. This prevents from hackers who would try a rebound attack. This is a major precaution for users who are used to join their enterprise from a public hot spot. Fixed stations are invited to dis- able their Wi-Fi option when unused. ° Firewall: It is strongly recommended
to use a personal firewall on nomad stations in order to filter unexpected input accesses and to limit output con- nections.
° Radio throughput control: This is a usual protection against Fake AP’s that are located at some distance from the enterprise and thus are received with a low radio level (and consequently transmit with a low bitrate). It consists to forbid mobile stations to connect under a given bitrate (i.e., 1 or 2 Mbps), because it is a priori inconsistent with network engineering design.
• Radio defences
° Lures: This kind of defence, specific to Wi-Fi networks, is a reaction against Wardriving (« Fake AP » of Black Alchimy). This consists to broadcast a large number of false frames with random SSID’s (network identifiers), MAC addresses and channel numbers. Wardrivers detect a vast of networks and are unable to find the right one. • Security at application level: An applica-
tion software supports the security of carried data without having to protect the association between the mobile station and the access point. The information can be intercepted but it is unusable.
° Encryption: Standard protocols like transport layer security (TLS) may be used in this scope.
° Authentication by Web server: This is well suited to hot spot type connec- tions. When connecting, the user is directed to a Web portal resident in the WLAN switch. Authentication is done by a login/password sequence. The link between the client and the server is se- cured by TLS and the authentication is done via a local authentication database. In return, the server assigns a category that defines user’s VLAN, rights, etc. For example, if the user is known but has no more credit, he will be redirected to a page that invites him to renew his subscription. For a complete security
Wireless Local Area Network Security
of communications authenticated by Web server, it is recommended, after the authentication phase, to set up a VPN client, which can be downloaded (Dialer VPN).