Dangers of Wireless

Summary

Solutions Fast Track

Introduction

Convenience, ease of implementation, and cost are driving factors for the rapid introduction of wireless technologies into the workplace.The introduction and use of any new technologies must be carefully managed and risk must be accurately assessed in order to properly manage the security of any computer system or net- work.This chapter addresses the major threats wireless technologies introduce into the workplace and presents strategies to properly reduce and mitigate these threats.

Intruders Accessing

Legitimate Access Points

At this stage in the game, the decision has been made to implement a wireless net- work at your organization. Hopefully the design and implementation of the wireless network was carefully thought out and security was a primary consideration, but we know that these factors are not always the reality. Unfortunately, in a rush to imple- ment a new, cool technology, security is often an afterthought.

Since the radio frequency (RF) waves that carry a signal cannot be physically contained within the bounds of a specific office building or other geographic loca- tion, a wireless network essentially extends your organization’s network as far as the wireless signal can travel. An intruder who takes advantage of this fact can be one of your neighbors in the office park, an employee at another organization on a different floor in your building, or a criminal sitting in a parked car in the parking lot.

The intruder’s intent could be classified in one of two ways:

■ Use of your network as an Internet “hotspot”—the opportunist

■ The abuse of your network boundaries to steal data or use your Internet connection to attack others or conduct criminal behavior—the criminal hacker

The Opportunist

This type of intruder is typically looking for quick and easy access to the Internet to check e-mail, surf the Web, or connect to Internet Relay Chat (IRC) from a weird host mask to brag to his or her cyber buddies.You can usually prevent the oppor- tunist from succeeding at this task by implementing the most rudimentary forms of security controls, such as:

■ Disabling SSID broadcasts on the Wireless Access Points (WAPs)

■ Enabling Wired Equivalent Privacy (WEP) or WiFi Protected Access (WPA)

If this intruder encounters encryption via WEP or WPA, he or she will likely move on to a “softer” target.Though this type of intruder might seem relatively harmless, keep in mind that the Internet sites the opportunist visits and the activities he or she conducts on the Web will be traced back to your organization, as though someone on the inside of your network conducted these activities—because for all intents and purposes, he or she is on the inside of your network.

How prevalent is this type of intruder? Well, the geek sport of “WarDriving” is fairly common, and large WarDriving events have been organized and successfully carried out, most with the purpose of simply collecting statistics on wireless net- works. Websites are devoted to the topic of WarDriving, and some, such as www.wifimaps.com and www.wigle.net, even have searchable databases to locate wireless networks that other WarDrivers have identified. A distinction should be made between the WarDriver and the opportunist, in that the WarDriver merely col- lects and logs interesting statistics for analysis, whereas the opportunist will identify, then connect to and use, your network.

The Criminal Hacker

The criminal hacker, or cracker, has malicious intent, and aims to break into your net- work to steal your intellectual property or customer data or use your network for criminal conduct.The criminal hacker may be WarDriving—searching for targets of opportunity—or specifically targeting the theft of a particular piece of intellectual property from your organization.The cracker may also use your network to conduct credit card fraud, download child pornography, or any number of other Internet- based crimes. Why would an intruder conduct these types of activities from a net- work that could be attributed to him when there are large amounts of vulnerable wireless networks he can hide among?

N

In a rather bizarre criminal case in Canada, police officers stopped a man in his vehicle who was driving the wrong way down a one-way street. The man was found to be naked from the waist down, holding a laptop with a wireless card. To further complicate the situation, images of child pornography were displayed on his laptop screen. Although this is a bizarre case because the man was driving in his car, the reality of the sit- uation is that this type of crime can often be committed from the com- fort of the intruder’s home or business.

In 2004 two young hackers were arrested for accessing and misusing the wireless network at a large U.S. home improvement store.They hopped onto a poorly con- figured wireless network, which was not properly segregated from the rest of the corporate network, and modified a program to record credit card numbers.They sat outside the store in the comfort of their car, antennae protruding from the windows, conducting their nefarious activities until the FBI nabbed them.

The first step in your security process should be preventing intruders from accessing the network; the second step is detecting and defeating intruders.

Preventing Intruders

from Accessing the Network

The term hard targetis one that is generally used in a military context. It refers to a target (for our purposes, think wireless network) that has been hardened as much as possible and deters would-be intruders from attacking it because it would be too much work, would be too difficult, or would be too costly in terms of time, money, or resources. If your only goal is to kill or maim two soldiers, would you attack an M-1 Abrams main battle tank or an unarmored Humvee?

Unless your organization is being specifically targeted by intruders, presenting a hard target will repel most wireless intruders.

B

P

To prevent intruders from accessing your network, you should make sure that you rely on the following security measures:

■ Disable SSID broadcasts. On most modern WAPs, it is possible to disable the broadcasting of the SSID. This feature will prevent the detection of your wireless network from intruders using less sophisti- cated wireless tools such as Netstumbler. However, more advanced tools such as Kismet will still detect your network by analyzing client traffic. Chapter 2 covers the specifics of disabling SSID broadcasts on popular model WAPs.

■ Use an obscure SSID. Choosing an obscure SSID that cannot be associated with your organization can aid in preventing a more tar- geted attack. For example, the fictitious company Dynamic Network Solutions is set up in an office park and has a sign on its building identifying the company. They company’s IT staff have set up their wireless network to use the SSID DYNAMIC, which makes it trivial to correlate a wireless network to their organization.

■ Enable WEP or WPA. Although these are not perfect implementa- tions of security, some encryption is better than none at all, as long as your organization fully understands the limitations and flaws. WEP or WPA will more than likely prevent the opportunist from intruding on your network, but each should be considered one layer of the security, rather than a panacea.

■ Conduct MAC address filtering. It’s recommended that only recog- nized and approved wireless cards (clients) be permitted to associate with the wireless network. Wireless hardware vendors implement these controls in several different ways, but most modern access points support this feature. Additionally, the DHCP server should assign an IP address to approved wireless clients only. Again, don’t rely on this one configuration item by itself to prevent attacks, because MAC address spoofing is a common and very possible attack method.

■ Control RF signal strength. Some more advanced WAPs that are designed for enterprise use rather than home networks allow the control of the wireless signal strength. Even though it may take a fair bit of work to determine the signal boundaries, preventing the signal from reaching outside the bounds of your building or office can be a key configuration item that will significantly enhance the security of your wireless network.

■ Implement a wireless DMZ. A properly implemented wireless DMZ will allow a wireless client the ability to connect to the network, but

only to specific devices such as a virtual private network (VPN) con- centrator or a Web proxy server. This layered approach requires one more factor (for example, VPN credentials or a proxy account) from wireless users before from permitting network communications. Any intruder that is successful in cracking the WEP or WPA key would be severely restricted in his or her ability to communicate with other network hosts.

■ Implement a wireless intrusion detection system (WIDS). Several vendors now offer a wide array of wireless IDSes with varying feature sets. Ensure that the WIDS selected has the ability to detect rogue wireless network users along with the detection of rogue wireless access points.

N

While the general consensus among security professionals seems to be that a WIDS is useful, in many circumstances they may be cost pro- hibitive. This is true with both commercial offerings and homegrown implementations. Depending on the size of the WIDS deployment, the costs of a commercial WIDS can quickly spiral out of control. The costs associated with a homegrown solution can appear to be cheaper, but one must consider the resources necessary to design, implement, and maintain the system. With either the commercial or the homegrown approach, the costs of monitoring and responding to this additional security tool must be factored into the equation. For this reason, many organizations choose to implement a hybrid form of WIDS. This can be a combination of WAP security logs, DHCP server logs, and other tradi- tional IDS tools.

Case Study: Intruder’s

Introduction of a Wireless Sniffer/Cracker

A colleague of mine was given the task of breaking into a wireless network at a rather sensitive and secure facility as part of an authorized penetration test activity. Because the organization had its own private security force, the tester didn’t have the option of sitting in a car for hours on end with various antennae pointing out the window. Instead, he designed and implemented what he calls a “wireless drop box.”

The purpose of this drop box was to covertly sniff wireless network traffic in order to crack the WEP key.This box, which looked like any standard gray utility box, contained a single board PC, a wireless network card, a 5 gigabyte hard drive, a high-gain patch antenna, and a battery large enough to run the drop box for two days.The front of box contained a Plexiglas cutout that allowed the patch antenna to point directly at the target network.The Plexiglas was spray-painted gray to match the box, and the organization’s logo was affixed to the front of the box, along with a telephone number in case of questions (see Figure 3.1).

Figure 3.1 The Internals of the Wireless “Drop Box”

Visible in Figure 3.1 is the patch antenna attached to the lid with a Soekris single-board PC between the antenna and the large battery.

The box was quickly affixed to the utility pole using metal banding (see Figure 3.2) and was left to do its job of sniffing wireless network traffic. With the matching colors, the organization’s logo (which has been removed from the picture) and a telephone number the box looked legitimate and went completely unnoticed.Two

days later the box was removed from the utility pole and taken offsite for analysis and WEP key cracking. Within the two-day timeframe, the sniffer had collected enough interesting packets to successfully crack the encryption, and the project was a success.This feat was accomplished passively, with the tester never having to conduct an active attack such as packet injection that could have been detected by the target organization’s WIDS.

Figure 3.2 The Drop Box Installed

Intruders Connecting

to Rogue Wireless Access Points

Rogue WAPs present a very real threat to the security of your organization’s net- work, whether you have an approved wireless network or not. Perhaps you’ve chosen not to allow wireless networking within your organization and think that due to this stance, you are safe from the technology’s vulnerabilities. Or perhaps you’ve imple- mented a wireless network that follows the most stringent security recommendations possible.You’ve implemented all the basics and have gone one step further to set up a wireless DMZ that only allows IPSec traffic to your VPN concentrator.

Unfortunately, all it takes is one uneducated employee plugging a WAP into his or her network jack to undermine all your organization’s security efforts; in such an

instance, your $100,000 firewall and your sophisticated IDS will no longer ade- quately protect your network from wireless attackers.

B

P

To make sure your network is free of rogue WAPs, you should be implementing the following security measures in your organization:

■ Implement clear organizational policy. It’s imperative that policy clearly dictate and define all acceptable user behavior, including behavior such as a user setting up an unauthorized wireless network. ■ Conduct user awareness training. A continual user awareness

training program is a key aspect of a complete IT security program. Users must be aware that their actions can affect the security of the overall organization. Would a user connect a WAP if she knew she was effectively circumventing the network’s security? Risk accepted by one is imposed on all.

■ Control the procurement process. Depending on how employees purchase equipment for the company, it might be possible to add a step where a member of the IT security department reviews the pur- chase for security concerns. If a procurement request or expense report is submitted for wireless equipment, this would raise a red flag. Of course, wireless equipment is so affordable these days that an employee may bring in equipment from home or purchase it himself. ■ Conduct periodic wireless assessments. The only way to detect

rogue access points is to implement a program to periodically con- duct a wireless assessment. For an organization that doesn’t have an authorized wireless network, this can be as simple as a wireless dis- covery using tools such as Netstumbler and Kismet. The assessment will be more complex where an authorized wireless network exists, but because of the risk factor associated with a rogue network, it’s an activity that must be done.

■ Scan your network from the wired side. Because it is possible to correlate MAC addresses to specific vendors, it could be possible and even simple to identify WAPs from the wired side. Let’s say that your organization has standardized on a certain brand of Ethernet card, for example, 3Com 3509. Using the port scanner Nmap, we could identify non-3Com Ethernet cards and investigate. Of course, not everything on your network would have a 3Com card, but after some tweaking it should be relatively easy to spot wireless vendor’s prod- ucts such as Dlink or Linksys. A software program aptly named wap- nmapwas developed to automate this type of wired-side scanning.

Chapter 4 of this book discusses rogue access point detection and mitigation in depth using a Cisco wireless network.

Case Study: Employees Using Accessible

Wireless Networks to Circumvent Controls

So your organization has spent thousands of dollars on content-filtering software to restrict access to Internet sites and has spent countless hours managing and imple- menting outbound firewall rules to limit network communication with the outside world, yet the company next door in the office park has a poorly configured wireless network that allows your employees to surf the Internet and connect to any com- puter they chose—all while stillconnected to your network, thereby rendering your information security efforts pretty much useless.This realistic threat exists just about everywhere except in organizations that are geographically isolated or that exist inside an RF shielded facility.

Using an insecure wireless network, an employee can:

■ Circumvent content filters. You may have implemented Web and e- mail content filters to prevent your employees from surfing certain Websites and to protect your organization from malicious e-mails. However, if one of your network users wants to browse restricted Websites, he can simply route through the wireless network.

■ Bypass egress filtering. Your firewall may contain outbound rules that restrict communications with the outside world in total or in some restricted form. But if a user wants to SSH to his home system on a cable modem, he can simply route out through the wireless network rather than your corporate network that prevents outbound TCP port 22 traffic.

■ Bridge your network. A malicious insider could completely expose your internal network by bridging the wireless and wired interfaces together. Since it’s usually not possible to prevent RF signals from entering your building, a different approach is necessary to ensure the security of your systems.

If wireless networking is not being used in your organization, the obvious choice would be to make sure that no system is capable of communicating via this medium. It’s fairly easy to manage desktop systems, but laptops and mobile devices require more thought and planning. Perhaps the easiest method is to ensure that these sys- tems have no built in wireless capabilities when they are procured. Controlling the procurement process can also be a useful tool in ensuring that wireless cards and devices are not purchased and implemented. For example, your organization could

have a purchase request form that an employee is required to submit before pur- chasing equipment.This request could be screened by the IT department to ensure that the piece of equipment being procured is not capable of communication via 802.11 or other wireless mediums.

Knowing about other networks that are within range is the first step in pro- tecting your organization from this threat. Conducting a wireless assessment of your own to identify these networks is a “must do” item.Your management might not want to invest the time and money in obtaining both wireless hardware and knowl- edge necessary to conduct a wireless assessment, especially if your organization