Perils of unplugging: 11 steps to successful wireless security

 

Connecting state and local government leaders

It's time to take on the security flaws of wireless LANs.Nothing will make an 802.11 wireless network completely secure, but there are ways to tighten one enough to keep out most unauthorized users.

It's time to take on the security flaws of wireless LANs.Nothing will make an 802.11 wireless network completely secure, but there are ways to tighten one enough to keep out most unauthorized users.Think of security in terms of numbers. Suppose there are 100 potential intruders on your wireless network. Probably 99 could break into a standard wireless network out of the box.A basic precaution such as not broadcasting your service set identifier (SSID) might eliminate 10 of them. Rudimentary media access control filtering might knock out another 20. Eventually, you get down to one or two people with enough agility to get past all your security.But securing a wireless network follows the same premise as all IT security: Focus on making breaches extremely difficult, not foolproof.If your agency runs a LAN with sufficiently layered security, but an agency across the street is running an out-of-the-box wireless network, an intruder is far less likely to waste hours or days hacking into your network. The other guy's an easier target.Even when you're up against a skilled and determined hacker, you can prevent damage if you know what to look for and how to respond to an attack.To be sure, the challenges of securing wireless networks are greater than those posed by wired networks. Expect a constant battle because hackers will try to break in.To help tip the scale in your favor, the GCN Lab has created a battle plan for securing your wireless LAN. If you follow these 11 steps, you will keep intrusions and disruptions to a minimum.One of the easiest things you can do is turn off your access point's SSID. In other words, tell your access points not to broadcast the fact that they exist. Employees will still find them, however, because you will give them proper names.So-called wardriving hackers on the prowl will likely miss your SSID if it is cloaked. Several programs do exist to find cloaked SSIDs, but less-skilled hackers won't attack you if they can't see you.All hackers know the default names of access points. For example, most APs from Cisco Systems Inc. of San Jose, Calif., are dubbed Tsunami out of the box.Even if the SSID is cloaked, a hacker could still try to access the default name with a simple script program that searches for all hidden SSIDs based on known default settings.So name your access point something odd or unique to thwart such hacking attempts. Obviously, this is effective only if you have already taken Step 1; otherwise the new name will simply be broadcast over the air.When you plan a wireless network, use the standard pattern for overlapping the channels within your building. This isn't a security step per se, but it gives you a base for building security.The GCN Lab advises using only channels 1, 6 and 11. With three channel possibilities, you can infinitely overlap service zones without interference. Because Channel 1 will bleed up to Channel 5, and Channel 11 will bleed down to Channel 7, you can overlap as needed to cover an entire building.This becomes important in case of a man-in-the-middle attempt, when an intruder tries to hijack your network by posing as a legitimate access point. The hijacker's traffic will have to use a nonstandard channel or a channel in a zone where it should not be used. This will help you spot an anomaly and end the hack.If your wireless network is already built out, you can still change the channel layout, but it might require physically moving some of the overlapping APs. Also be sure to scan for networks on other floors or nearby so you don't create a conflict with them.In a classic fable, a man captures a leprechaun and forces him to reveal the location of a pot of gold hidden in the forest. Because the man cannot carry the heavy pot, he goes for help after tying a ribbon to a tree near the gold. The man makes the leprechaun promise not to move the pot or remove the ribbon.When the man returns, the leprechaun has vanished but has kept his word. But there is a ribbon around every tree in the forest, so the gold once again is lost.A good shareware driver, HostAP, lets you do virtually the same thing with AP signals. HostAP duplicates and floods the area with thousands of false AP signals. A hacker thinks he's found gold when he sees all the APs on your block but quickly learns that almost none in fact exist, or else they lead to simple, dead-end networks you have set up as traps. Only legitimate users' devices will be able to identify the real network.If a hacker gets into your network, you should make it as difficult as possible for him to move around. The longer you can delay movement, the better chance you have of noticing anomalous behavior and catching an intruder. And if your network looks uninteresting, a hacker might just bypass it.Don't name your systems by their functions. No system should ever be called Payroll Records or President's Office. That's the cyberequivalent of hanging out a neon sign advertising free beer and pizza.Keep your naming convention simple and nonsensical. Only trusted systems administrators need to know the complete listing of which names go with which systems. Users need only know those that they must access.A good security route is to modify the way your access points handle remote connections. This can be a bit tricky and requires user cooperation. It also works a lot better if you have completed Step 3 and mapped your channels smartly.Most access points let you modify the types of connections they accept. If your office keeps 9-to-5 hours, for example, you might direct your APs to deny wireless connections before 7 a.m. and after 7 p.m.If the channel zones are set up properly, you can accept connections only on the correct channel for particular sections of the building. That will go a long way toward preventing man-in-the-middle attacks.You can also control access via signal strength. If you have a properly layered network, all your users should be communicating at close to the maximum signal strength. Signal strength and bandwidth decline with distance from the AP, so cut off all signals below a certain minimum strength.A hacker out in the parking lot is probably going to get only a 2-Mbps connection, whereas your users on an IEEE 802.11b network should see close to 11 Mbps. If you set your AP to drop all users connecting below 5 Mbps, it will severely hinder outside hackers.Some administrators don't use media access control layer filtering because it is the easiest level of security to crack. MAC filtering identifies trusted cards or devices on a network, letting them connect but denying all others.The problem is that passive scanning can let a hacker crack MAC addresses in five minutes flat. MAC addresses are not encrypted, so the hacker soon can view all active trusted devices on a network.A hacker with this knowledge then can dive into the hkey/local folder and manually type in a trusted MAC address. Presto, the hacker's computer has just taken over the identity of the trusted device. Once the trusted user has headed home, the hacker can log in at will.Remember: If you have implemented Step 6, the hacker with the spoofed MAC address might not be able to get enough signal strength from outside to connect, whether he's properly credentialed or not. Or, if the wireless network is closed to users during certain hours, the hacker again might be locked out.But most people don't know how to hack MAC addresses. A casual wild user zooming around looking for networks is unlikely to know how, or take the time, to start spoofing your address.Administering MAC filtering is not difficult, and it's a simple way to eliminate a large number of potential intruders.Wired Equivalent Privacy encryption can layer security on top of your existing framework. It works well as a complement to MAC filtering.Although it sounds deadly, WEPon is actually a primitive challenge-and-response protocol. It adds a 32-bit cyclical redundancy check to the standard packet payload. Because a packet's initiation vector is 24 bits, and the public key is 40 bits, this isn't 64-bit encryption.You can have the WEP key rotate among four different slots on an access point, keeping different keys in play one at a time. The AP tells the users in the clear which key number is in use. There are automated hacker programs good at collecting this data and assigning it to the different keys to make them easier to figure out.On a heavily used wireless network with lots of traffic, it takes only a few days for most hacker programs to sort out the keys by watching the data assigned to known responses, such as the initiation vector. On less-active networks, it would take significantly longer.Hacking a WEP key is a serious endeavor, however. Only an ace hacker can do it with ease; most others are less likely to make the effort.Also, be on the lookout for products that incorporate WEP's successor, the Temporal Key Integrity Protocol. TKIP will allow per-packet key mixing, message integrity checks and a rekeying mechanism.The current Holy Grail of wireless security is Cisco's Leap algorithm for servers with remote authentication dial-in user service (RADIUS). Leap, which is based on the Extensible Authentication Protocol, does both client and access point validation for protection in both directions. It also helps WEP by adding dynamic WEP support and key session timeouts.The problem with Leap is that it requires all Cisco equipment. Also, despite Cisco's claims of its invincibility, Leap can be hacked.Using Microsoft Chat, you can query a wireless client for the owner's credentials, which will be sent back to you encrypted except for the last two letters. Why the last two characters are unencrypted is anyone's guess, but they are. A dictionary program can make guesses at the password based on the two unencrypted letters.This, however, involves a level of skill that probably only one or two potential intruders possess. When your network is so strongly defended that only one or two people out of 100 have the skill to break in, you're facing your most serious challenge. Perhaps these people have it in for your agency, or they really want some of your data for nefarious purposes. They are willing to put in a lot of single-minded time and effort.The way to catch such intruders is by network monitoring. Consider this: If nobody is watching the front door of your building, then anyone can come inside. Even if an electric door closer stops them from time to time, they can simply try again.Companies such as AirDefense of Alpharetta, Ga., sell special APs that act as network security guards. If someone is probing your network, the AP will tell you. If a supposed official of your agency tries to connect at 3 a.m. from the south parking lot, the AP will warn you of a possible spoof.At that point, it's up to you to react according to your security policies. Perhaps that means sending a security officer out to the parking lot to see exactly who is trying to access the network, or perhaps you take down part of the network until the spoofer moves on.To be successful in the face of such attacks, you must have the hardware in place and someone who is in charge of monitoring it.The need for such a high level of security might be limited, but taking this step can help you catch or at least deter the most dangerous hackers. This tip is less a security method than a fact of life.Just because your network is secure on Tuesday does not mean it will be so on Wednesday. Security is an ongoing process. With some security methods, such as MAC filtering, you need to keep your database of valid users and devices up-to-date.It's likely that your network will grow even if there are no new employees. Individual users' notebook and handheld PCs often have open wireless network ports, which can become gateways into your network. In addition, it's not unheard of for a sysadmin to set up a wireless device in a conference room for a meeting and then forget about it.Every week, or at least monthly, your security team should check your wireless network to make sure nothing has changed or been added. A monitoring AP like those mentioned in Step 10 can be a big help, but you can get by without one if you have to, as long as a responsible person knows the network layout intimately.Security is not a skirmish. It's an all-out war that you can win battle by battle with the right tools and a lot of diligence.


















1 Don't fight blind






2 Spice it up







3 Study your maps









4 Play the leprechaun's gambit







5 Take covert action







6 Stay close to your friends









7 Be big on MAC













8 Ready your WEPon













9 Set your security RADIUS









10 Keep an eye on the gate













11 Maintain your defenses












X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.