Perils of unplugging: 11 steps to successful wireless security

It's time to take on the security flaws of wireless LANs.Nothing will make an 802.11 wireless network completely secure, but there are ways to tighten one enough to keep out most unauthorized users.Think of security in terms of numbers. Suppose there are 100 potential intruders on your wireless network. Probably 99 could break into a standard wireless network out of the box.A basic precaution such as not broadcasting your service set identifier (SSID) might eliminate 10 of them. Rudimentary media access control filtering might knock out another 20. Eventually, you get down to one or two people with enough agility to get past all your security.But securing a wireless network follows the same premise as all IT security: Focus on making breaches extremely difficult, not foolproof.If your agency runs a LAN with sufficiently layered security, but an agency across the street is running an out-of-the-box wireless network, an intruder is far less likely to waste hours or days hacking into your network. The other guy's an easier target.Even when you're up against a skilled and determined hacker, you can prevent damage if you know what to look for and how to respond to an attack.To be sure, the challenges of securing wireless networks are greater than those posed by wired networks. Expect a constant battle because hackers will try to break in.To help tip the scale in your favor, the GCN Lab has created a battle plan for securing your wireless LAN. If you follow these 11 steps, you will keep intrusions and disruptions to a minimum.One of the easiest things you can do is turn off your access point's SSID. In other words, tell your access points not to broadcast the fact that they exist. Employees will still find them, however, because you will give them proper names.So-called wardriving hackers on the prowl will likely miss your SSID if it is cloaked. Several programs do exist to find cloaked SSIDs, but less-skilled hackers won't attack you if they can't see you.All hackers know the default names of access points. For example, most APs from Cisco Systems Inc. of San Jose, Calif., are dubbed Tsunami out of the box.Even if the SSID is cloaked, a hacker could still try to access the default name with a simple script program that searches for all hidden SSIDs based on known default settings.So name your access point something odd or unique to thwart such hacking attempts. Obviously, this is effective only if you have already taken Step 1; otherwise the new name will simply be broadcast over the air.When you plan a wireless network, use the standard pattern for overlapping the channels within your building. This isn't a security step per se, but it gives you a base for building security.The GCN Lab advises using only channels 1, 6 and 11. With three channel possibilities, you can infinitely overlap service zones without interference. Because Channel 1 will bleed up to Channel 5, and Channel 11 will bleed down to Channel 7, you can overlap as needed to cover an entire building.This becomes important in case of a man-in-the-middle attempt, when an intruder tries to hijack your network by posing as a legitimate access point. The hijacker's traffic will have to use a nonstandard channel or a channel in a zone where it should not be used. This will help you spot an anomaly and end the hack.If your wireless network is already built out, you can still change the channel layout, but it might require physically moving some of the overlapping APs. Also be sure to scan for networks on other floors or nearby so you don't create a conflict with them.In a classic fable, a man captures a leprechaun and forces him to reveal the location of a pot of gold hidden in the forest. Because the man cannot carry the heavy pot, he goes for help after tying a ribbon to a tree near the gold. The man makes the leprechaun promise not to move the pot or remove the ribbon.When the man returns, the leprechaun has vanished but has kept his word. But there is a ribbon around every tree in the forest, so the gold once again is lost.A good shareware driver, HostAP, lets you do virtually the same thing with AP signals. HostAP duplicates and floods the area with thousands of false AP signals. A hacker thinks he's found gold when he sees all the APs on your block but quickly learns that almost none in fact exist, or else they lead to simple, dead-end networks you have set up as traps. Only legitimate users' devices will be able to identify the real network.If a hacker gets into your network, you should make it as difficult as possible for him to move around. The longer you can delay movement, the better chance you have of noticing anomalous behavior and catching an intruder. And if your network looks uninteresting, a hacker might just bypass it.Don't name your systems by their functions. No system should ever be called Payroll Records or President's Office. That's the cyberequivalent of hanging out a neon sign advertising free beer and pizza.Keep your naming convention simple and nonsensical. Only trusted systems administrators need to know the complete listing of which names go with which systems. Users need only know those that they must access.A good security route is to modify the way your access points handle remote connections. This can be a bit tricky and requires user cooperation. It also works a lot better if you have completed Step 3 and mapped your channels smartly.Most access points let you modify the types of connections they accept. If your office keeps 9-to-5 hours, for example, you might direct your APs to deny wireless connections before 7 a.m. and after 7 p.m.If the channel zones are set up properly, you can accept connections only on the correct channel for particular sections of the building. That will go a long way toward preventing man-in-the-middle attacks.You can also control access via signal strength. If you have a properly layered network, all your users should be communicating at close to the maximum signal strength. Signal strength and bandwidth decline with distance from the AP, so cut off all signals below a certain minimum strength.A hacker out in the parking lot is probably going to get only a 2-Mbps connection, whereas your users on an IEEE 802.11b network should see close to 11 Mbps. If you set your AP to drop all users connecting below 5 Mbps, it will severely hinder outside hackers.Some administrators don't use media access control layer filtering because it is the easiest level of security to crack. MAC filtering identifies trusted cards or devices on a network, letting them connect but denying all others.The problem is that passive scanning can let a hacker crack MAC addresses in five minutes flat. MAC addresses are not encrypted, so the hacker soon can view all active trusted devices on a network.A hacker with this knowledge then can dive into the hkey/local folder and manually type in a trusted MAC address. Presto, the hacker's computer has just taken over the identity of the trusted device. Once the trusted user has headed home, the hacker can log in at will.Remember: If you have implemented Step 6, the hacker with the spoofed MAC address might not be able to get enough signal strength from outside to connect, whether he's properly credentialed or not. Or, if the wireless network is closed to users during certain hours, the hacker again might be locked out.But most people don't know how to hack MAC addresses. A casual wild user zooming around looking for networks is unlikely to know how, or take the time, to start spoofing your address.Administering MAC filtering is not difficult, and it's a simple way to eliminate a large number of potential intruders.Wired Equivalent Privacy encryption can layer security on top of your existing framework. It works well as a complement to MAC filtering.Although it sounds deadly, WEPon is actually a primitive challenge-and-response protocol. It adds a 32-bit cyclical redundancy check to the standard packet payload. Because a packet's initiation vector is 24 bits, and the public key is 40 bits, this isn't 64-bit encryption.You can have the WEP key rotate among four different slots on an access point, keeping different keys in play one at a time. The AP tells the users in the clear which key number is in use. There are automated hacker programs good at collecting this data and assigning it to the different keys to make them easier to figure out.On a heavily used wireless network with lots of traffic, it takes only a few days for most hacker programs to sort out the keys by watching the data assigned to known responses, such as the initiation vector. On less-active networks, it would take significantly longer.Hacking a WEP key is a serious endeavor, however. Only an ace hacker can do it with ease; most others are less likely to make the effort.Also, be on the lookout for products that incorporate WEP's successor, the Temporal Key Integrity Protocol. TKIP will allow per-packet key mixing, message integrity checks and a rekeying mechanism.The current Holy Grail of wireless security is Cisco's Leap algorithm for servers with remote authentication dial-in user service (RADIUS). Leap, which is based on the Extensible Authentication Protocol, does both client and access point validation for protection in both directions. It also helps WEP by adding dynamic WEP support and key session timeouts.The problem with Leap is that it requires all Cisco equipment. Also, despite Cisco's claims of its invincibility, Leap can be hacked.Using Microsoft Chat, you can query a wireless client for the owner's credentials, which will be sent back to you encrypted except for the last two letters. Why the last two characters are unencrypted is anyone's guess, but they are. A dictionary program can make guesses at the password based on the two unencrypted letters.This, however, involves a level of skill that probably only one or two potential intruders possess. When your network is so strongly defended that only one or two people out of 100 have the skill to break in, you're facing your most serious challenge. Perhaps these people have it in for your agency, or they really want some of your data for nefarious purposes. They are willing to put in a lot of single-minded time and effort.The way to catch such intruders is by network monitoring. Consider this: If nobody is watching the front door of your building, then anyone can come inside. Even if an electric door closer stops them from time to time, they can simply try again.Companies such as AirDefense of Alpharetta, Ga., sell special APs that act as network security guards. If someone is probing your network, the AP will tell you. If a supposed official of your agency tries to connect at 3 a.m. from the south parking lot, the AP will warn you of a possible spoof.At that point, it's up to you to react according to your security policies. Perhaps that means sending a security officer out to the parking lot to see exactly who is trying to access the network, or perhaps you take down part of the network until the spoofer moves on.To be successful in the face of such attacks, you must have the hardware in place and someone who is in charge of monitoring it.The need for such a high level of security might be limited, but taking this step can help you catch or at least deter the most dangerous hackers. This tip is less a security method than a fact of life.Just because your network is secure on Tuesday does not mean it will be so on Wednesday. Security is an ongoing process. With some security methods, such as MAC filtering, you need to keep your database of valid users and devices up-to-date.It's likely that your network will grow even if there are no new employees. Individual users' notebook and handheld PCs often have open wireless network ports, which can become gateways into your network. In addition, it's not unheard of for a sysadmin to set up a wireless device in a conference room for a meeting and then forget about it.Every week, or at least monthly, your security team should check your wireless network to make sure nothing has changed or been added. A monitoring AP like those mentioned in Step 10 can be a big help, but you can get by without one if you have to, as long as a responsible person knows the network layout intimately.Security is not a skirmish. It's an all-out war that you can win battle by battle with the right tools and a lot of diligence.