Once a novelty of tech-savvy users, 802.11b wireless devices have taken the residential scene by storm and have even found their way into many organizations—despite negative publicity about inherent security vulnerabilities. These devices have charmed users, who simply plug them in, dismissing—or not understanding—the concept of intrusion. The devices are cheap, offer decent performance, and are easy to set up. However, 802.11b devices can leave your network open to attack.
I don't recommend deploying bare-bones 802.11b devices directly into networks that contain sensitive data and demand tightly controlled access. However, given the popularity of these devices, every IT administrator needs to know the basic security principles behind every 802.11b device. You're probably also ready for a primer that shows you how to use Windows XP's Wireless Zero Configuration service—or third-party drivers, if necessary—to configure your wireless client.
Ease of Use
The 802.11b protocol, which uses the 2.4GHz frequency, provides service as fast as 11Mbps and offers rudimentary authentication and encryption mechanisms. (The 802.11a and 802.11g protocols provide service as fast as 54Mbps.) Unfortunately, out of the box, these devices are typically configured without built-in security mechanisms enabled. And with an Access Point (AP) and NIC price of less than $200 combined, the devices are painless for non-IT departments to purchase and plug into the corporate LAN. This plug-and-play approach is the reason for much of 802.11b's popularity. Many vendors offer the ability to simply plug in the AP, plug in the wireless NIC (USB or PC Card), insert the driver CD-ROM when prompted, and presto—you have an AP-based wireless network. In this article, I focus primarily on the prolific sub-$200 equipment that you'll probably find popping up in your network. (Many more robust—and expensive—solutions offer advanced security and management features that are better suited for an enterprise deployment.)
The 802.11b devices work in two modes: ad hoc and infrastructure. Ad hoc mode is a peer-to-peer mode in which computers with 802.11b wireless NICs can talk directly to one another. (Access is generally restricted to computers configured in ad hoc mode.) Infrastructure mode requires an AP, a network device that acts as a bridge between your wired LAN and your wireless users. In infrastructure mode, many users can use one AP. Also, with some models, you can overlap the coverage areas of multiple APs to create a mesh across your campus that users can roam. (Roaming across subnets is a tricky endeavor that less expensive devices don't generally support.)
Active Breach and Passive Listening
To understand 802.11b's weaknesses, think of your wireless network as a typical wired LAN. Imagine a potential intruder accessing your wireless network by simply plugging his or her computer into your Ethernet switch. This scenario is close to what you're permitting if you leave the basic security features of 802.11b disabled. An intruder's access to your network could be twofold: First, the intruder could access any system available to your wireless users on your LAN; second, the intruder could use your IP network to access the Internet.
An intruder doesn't need to physically breach your network to cause damage. He or she can passively listen to your wireless traffic and sniff corporate secrets (e.g., passwords). If you occupy a building with other tenants, those tenants could feasibly identify your network and set up a device to silently log all wireless traffic for later analysis. Such passive reconnaissance is impossible to detect electronically.
Authentication and Encryption
The 802.11b protocol provides basic authentication and encryption mechanisms, with which you can protect your wireless network against external threats. Authentication validates you as a legitimate wireless client before the AP permits access to the network. Encryption protects the data stream between the wireless adapter and the AP, preventing casual eavesdroppers from poaching your traffic. Both of these processes use a key or secret that the wireless user and the AP share. This shared secret can validate the user and encrypt the data. Widely available hacker programs can decipher these keys, so you need to rotate your keys regularly and frequently. Rotating keys involves changing the Wired Equivalent Privacy (WEP) key on every wireless client and each AP. Unfortunately, most 802.11b products (particularly the less expensive solutions) don't offer effective key management, and key rotation can be cumbersome. (For more secure alternatives to 802.11b's built-in security, see "Related Articles in Previous Issues.") The emerging 802.1x standard provides stronger port authentication through dynamic and session-based keys. For more information about 802.1x authentication, see the sidebar "A Glimpse at 802.1x Authentication."
Define Your SSID
To begin configuring basic 802.11b security, you first need to define your wireless network's service set identifier (SSID). The SSID, which is set on every wireless client and AP, defines the logical network for the group of wireless network devices that share that particular SSID. Be careful: Some vendors market the SSID as a type of security. A NETGEAR FAQ, for example, states that "the SSID is a common password unique to each wireless network," which might literally be true but not in the traditional sense of a password. NETGEAR's device broadcasts this SSID, which XP picks up as an available network, as Figure 1, page 70, shows. Obtaining the SSID is the first step toward gaining access to (or hacking into) a wireless network.
Many vendors use a default SSID for their devices, and I recommend that you set your SSID to a name that uniquely describes the deployment. (However, use discretion: Using the name Finance WLAN for a wireless LAN—WLAN—that serves the accounting department might draw unwanted attention.) If possible, disable your AP's broadcasting of your SSID. Check your AP's documentation to determine whether your AP will let you disable SSID broadcasting. Eavesdroppers will then have a tougher time finding your network.
Previous
Register
heikki kivistö March 27, 2003