Security WatchA guide to Wireless Security
Kathryn Tewson and Steve Riley
Setting up a wireless network is incredibly easy. There’s no cable to pull, no holes to drill; just plug in your wireless access point (AP), let your wireless connection manager auto-associate, and you’re online. Unfortunately, so is every other person who happens to be within broadcast range of your AP, and that’s where your trouble starts.
Every business has information that must be kept private. Trade secrets, source code, or even the company’s accounting books can find their way into nefarious hands all too easily. If you have customer data stored on your network, it’s even more imperative to lock down access. A few credit card numbers escaping into the wild can permanently damage your customers’ trust; just the possibility of credit card number theft can trigger regulatory disclosure procedures in some states. And wireless network access doesn’t stop at your business’s walls; if your network is open, anyone can squat in your parking lot and hop online.
Know your enemy! There are three basic types of bad guys you need to guard your network against: thrillseekers and wardrivers, bandwidth thieves, and knowledgeable attackers.
Thrillseekers and casual wardrivers are the folks who drive around with a laptop, looking for wireless networks to hop on to. They often don’t do any damage; they’re motivated by the thrill of trespassing electronically. The simplest of security measures is usually enough to deter them, particularly if there are other open networks around.
Bandwidth thieves know exactly what they want. Maybe they’re sending bucketsful of spam, maybe they’re downloading pirated movies or porn. Whatever they’re doing, there’s a reason they want to do it on your network instead of their own—they don’t have to worry about being traced, they don’t have to bear liability for their actions, and they don’t have to pay for the bandwidth they use. Because they profit from intrusion, they’re more willing to crack their way into your network, but just like the thrillseekers, they’re looking for the easiest option available.
Serious, knowledgeable attackers are rare, but scary. Either they want the data on your network or they’re looking to cause you harm. They won’t be deterred by casual security measures because they aren’t looking for easy targets. They want valuable information that only you have, they expect it to be at least lightly guarded, and they’re prepared to work hard to gain access or even to break your network completely.
It’s easy for bad guys to become even more evil in a hurry, and network security is only as strong as its weakest link. In a recent case that got a lot of publicity, three wardrivers discovered that a national retail chain store in the Midwest was using wireless pricing scanners. There was no human client access, just automated data transfer from the point of sale system. However, the transactions weren’t encrypted, and the AP used the default administration password, so the attackers were able to access the store’s general network. They installed a small program on one of the corporate servers that would capture credit card numbers to a text file, which they could easily retrieve from the parking lot. The three thieves were eventually caught and sentenced for fraud, but you don’t want your business to gain this kind of publicity.
Three Sample Scenarios
Coffee Shop with Hotspot Access
1 You’re setting up a network as a service to your customers, to get them to come more often, stay longer, and drink more coffee. Your users can be anyone who stops in with a laptop, so ease of use is most important. Because you’re operating a public network that you want people to connect to, there’s really not a whole lot you can or need to do. Trying to configure any form of authentication or encryption will drive away customers. You certainly don’t want the hassle of maintaining a user database and requiring people to log in. Recommended solution: get an AP that supports client isolation to help protect clients from each other. And keep this network completely separate from your internal store network, if you have one.
Small Accounting Firm
2 You’re setting up a network so that your three employees can easily share work and files. Your users are those three employees, plus you, so a little client configuration isn’t an issue. In addition to wardrivers and bandwidth thieves, you need to protect your customers’ financial data. Recommended solution: make sure all your wireless equipment is new and supports the latest features and protocols, then configure WPA-Personal. Choose something other than a dictionary word for your preshared authentication key.
Our rubric is to choose a passphrase—a complex sentence (with upper and lower case letters, numbers, and special characters) that is easy remember but difficult for others to guess. For example, "To be, or not to be? That is the question." Also, make sure your AP has an option to turn off client isolation, or the collaborative side of your network will be lost.
Law Firm with Guest Access
3 Your back office has wireless so that all the lawyers, paralegals, and assistants can easily share files and work on cases together. You are also offering guest access so that visiting clients or attorneys can easily access their own files. Security here is unbelievably vital; if your clients' legal records get out, you won’t just lose business, you can be disbarred or suffer criminal legal consequences. Recommended solution: build two wireless infrastructures. Use high-quality APs that support WPA2-Enterprise and dual Service Set Identifiers (SSIDs), one for your back office and one for guest access.
Configure the employee side to use WPA2-Enterprise for authentication and encryption. You'll need a RADIUS server (just run Internet Authentication Services on your domain controllers for simplicity) and updated client software (Windows XP SP2, at least). If you use EAP-TLS for authentication, you’ll need digital certificates too.
Configure the guest side as an open public network. Again, your guests won't be able to easily integrate with protocols like WPA-Personal or WPA-Enterprise, so save them (and yourself) the trouble. Make sure that you permit outbound Virtual Private Networking (VPN) through the guest side, so that they can connect back to their own corporate networks to retrieve data.
Wireless network security isn’t a one-size-fits-all proposition. Before you can even think of implementing a security design, you have to consider several questions.
Who are your users? Are they your employees or your customers? How much configuration will users be willing to go through? Will they always be the same people, or will you have different people using the network every day?
Why are you installing a wireless network? Do you want to share files between employees? Do you want a gateway to the Internet? Do you want to be able to offer wireless access to your customers to get them through the door? Are you looking to replace an aging Token Ring cable plant in your facility?
What are you trying to protect? You don’t need to have security that the Pentagon would envy. What you need is enough security that breaking into your network is more trouble than the data inside is worth. Credit card numbers, source code, medical or legal records—those are all worth a lot. The employee handbook or the shift schedule? You might think these have little value, but to someone engaged in social engineering these resources contain highly useful information about the practices of your organization and the habits of your employees. Even your bandwidth is valuable. But remember that clever intruders can find their way to unexpected places, so make sure you aren’t putting more at risk than you think you are.
Before we get into the ins and outs of authentication servers and encryption protocols, there are some very basic, very easy steps to take that can substantially reduce your risk of intrusion.
Change your passwords It’s been said before, but it’s worth repeating: change your AP’s default administrator password, particularly if it’s "admin," "password," or null. Do it for every AP, every time. These passwords are widely known, and if you give someone administrator access to your AP, you might as well just leave printouts of your company data in a cardboard box on the curb.
Change IP addresses Different brands of APs use different WLAN IPs and different DHCP ranges. These are also user-configurable, and you can change them from the default to something that’s less likely used. Again, it gives less information about your AP to someone who’s up to no good. It doesn’t gain you very much security, but it’s easy to do and has no negative impact on your users, so it’s worth considering. Note, however, that your choice of addresses must work with the addressing scheme you’ve used in the rest of your network. If you aren’t responsible for maintaining IP addresses, work with the people in your organization who are. You can’t just randomly choose any IP address and expect it to work.
Use client isolation Some APs include a feature that prevents wireless clients from communicating with each other. Typically, in a corporate environment or in a workgroup, you’ve already instituted other mechanisms to either allow or prevent client-to-client communications, so this feature wouldn’t be important to you. But if you’re building a wireless hotspot or other public wireless network, look for APs that support client isolation and be sure to enable it. This helps keep poorly configured computers from attacking other computers on the network.
How Not to Secure a Wireless Network
There is a lot of bogus wireless security advice circulating the Internet. It gets repeated often in articles and seminars because, well, "it sounds good." Let’s dispel a couple common wireless security myths right now.
Hide your SSID The Service Set Identifier (SSID) in your AP is nothing more than a name. It was never intended to be a password, yet people have turned it into one by disabling its broadcast, thinking this makes their network more secure. This couldn’t be less true. Every time a client associates to an AP it includes the SSID in the association message—in clear text, visible to anyone with a wireless sniffer. So go ahead and let the SSID broadcast. Windows® XP zero configuration requires it, the 802.11 specification mandates it, and the kind of good wireless security we recommend here makes it such that it doesn’t matter that the SSID is visible.
Filter MAC addresses Media Access Control(MAC) address filtering sounds great in theory. Every network device in the world has a unique MAC address, so by restricting which MAC addresses can associate with your wireless network, you’re eliminating the possibility of intruders, right? No. The problem is that the MAC address is sent with the header of every packet, outside any encryption that’s being used, and packet analyzers are widely available, as are MAC spoofing applications. It’s also a hassle from the administrative end, since every new device that connects to the network has to be entered into the AP by the systems administrator. Save yourself the hassle and just avoid this so-called feature.
After you’ve taken care of the basics, you can start looking at how you’re going to control access to your network. Start at the physical layer. Don’t make the AP physically available. It’s all too easy to reset the AP to its default settings. Once you know the make and model of the AP, the defaults are simple to figure out—often they’re printed on the bottom of the AP itself.
Some APs offer basic username/password authentication within the AP itself. Setting it up is simple; just enter your username/password pairs in the AP, or upload them from a text file on another machine. Access control is per-user, not per-device. These APs are easy to use, but are often substantially more expensive than standard equipment and may not support more than about 15 or 20 different users. They also lack integration with any directory system you’re using (such as Active Directory®), so requiring users to remember yet another ID and password won’t go over too well.
For more robust per-user access control than you can get within an AP, look to an external server authentication solution like Remote Authentication Dial-In User Service (RADIUS). By itself RADIUS won’t do anything to help you. But because advanced wireless security protocols like Wi-Fi Protected Access (WPA) (see the section on encryption that follows) can use RADIUS for user authentication, you can start to build an environment that integrates more smoothly with the rest of your network. RADIUS servers don’t necessarily have to be costly to set up. Internet Authentication Service (IAS), included in Windows Server 2003, is ideal for companies using Microsoft software.
As fast as access control solutions appear, ne’er-do-wells attempt to find ways to get around them. One of the most successful and frightening has been labeled the evil twin problem. In this scenario, someone sits out in your parking lot with a laptop running a Web server and an AP with a high-powered antenna on it. The thief configures the AP with your SSID, and configures the Web server to proxy and log transmitted information. The evil twin probably has a stronger signal because of the high-gain antenna, so users will associate with the false SSID instead of the true one. And any clear-text Web traffic, say logging into something that isn’t protected with secure sockets layer (SSL) will be visible to the attacker.
Now is this really a problem? It depends on what security measures you have in place. If you rely on plain old Wired Equivalent Privacy (WEP) then this is a problem. But if you’re using more sophisticated protocols, like dynamic WEP or WPA, then the problem goes away. These protocols incorporate a principle called mutual authentication. Not only does the client authenticate to the network, but the network authenticates to the client—either with a digital certificate from the RADIUS server or by the AP’s knowledge of an authentication key. Because the attacker can’t get access to the certificate or the key, your clients will refuse to connect to the evil twin. The attacker has created a denial of service problem, but can’t intercept your traffic.
Now we can get to the nitty-gritty of security—protecting your data transmission with encryption. There are a lot of different encryption algorithms available, each with their advantages and disadvantages, and they’re not all interchangeable. The more you know, the more easily you can pick the right solution to suit your needs.
Static WEP is the first that comes to mind when people think of wireless encryption. It’s an old standard, supported by just about every wireless network device out there, so there are no worries about compatibility. It has two big disadvantages, though. The first is that it requires every user and every device to enter a long hexadecimal string to make connections. (Some devices support ASCII passkeys, but not all.) The second is that it’s become trivially easy to crack. With modern attack tools it takes only about 500,000 captured frames to perform statistical analysis against the data and recover the key. Given a fully utilized AP processing 1,500-byte frames (the typical size), you can capture 500,000 frames from an 802.11b network in just over eight minutes, and from an 802.11a or 802.11g network in less than three minutes.
Despite its pervasiveness in nearly all wireless equipment, static WEP has reached the end of its productive life. Don’t use it. Instead, choose from one of the alternatives described here. If compatibility is most important, use dynamic WEP. If you can’t support using a RADIUS server, use Wi-Fi Protected Access (Pre-Shared Key) (WPA-PSK). This means you might need to upgrade your wireless hardware and client operating systems.
Dynamic WEP with 802.1X+EAP is a combination of protocols that addresses some of the flaws in static WEP. Dynamic WEP uses a combination of the 802.1X and EAP protocols (along with a RADIUS server) to authenticate the user and optionally the computer, create a unique WEP encryption key for each associated computer, and rotate all keys at a time interval you specify. How often? Because WEP is still the foundation for encryption, you need to consider the 500,000-frame problem described before. So your time interval would be eight minutes or two minutes (or less), depending on your hardware.
One exceptionally cool thing about dynamic WEP with 802.1X+EAP is that, in Windows XP SP1 and later, it integrates with the domain logon process. Domain-joined computers are often configured with Active Directory group policies that are applied when the computer logs on, before the user does. It’s important that your wireless infrastructure permit the same behavior. In the supplicant built into Windows XP, 802.1X+EAP handles the domain logon process and allows group policy to apply. Keep this in mind when evaluating wireless security alternatives.
You have a choice of authentication methods with 802.1X+EAP. EAP-TLS and protected EAP (PEAP) are the most popular. EAP-TLS requires digital certificates on all clients and on all RADIUS servers. These certificates are used for computer and user authentication. PEAP allows the use of computer and user domain accounts (IDs and passwords) for authentication, though in this case the RADIUS server still presents a digital certificate to the client.
Dynamic WEP is better than static WEP because it eliminates most of the conditions that make static WEP so unsafe. Although 802.1X+EAP can do some cool things, know that dynamic WEP never became a true standard, and should be avoided if possible because it doesn’t eliminate all flaws. 802.1X+EAP combined with WPA (discussed next) is really where you should be heading.
WPA is the next generation of wireless encryption technologies. It’s both more secure and easier to configure than WEP, but most network cards made before mid-2003 won’t support it unless the manufacturer has produced a firmware update. WPA replaces WEP with an improved encryption algorithm called Temporal Key Integrity Protocol (TKIP). TKIP supplies each client with a unique key and uses much longer keys that are rotated at a configurable interval. WPA also includes an encrypted message integrity check field in the packet to prevent denial-of-service and spoofing attacks, something that neither static nor dynamic WEP can do. WPA operates both with and without a RADIUS server.
WPA-Personal uses a preshared authentication key that is configured on each device. Unlike WEP, this can be any alphanumeric string and is used only to negotiate the initial session with the AP. Because both the client and the AP already possess this key, WPA provides mutual authentication, and the key is never transmitted over the air.
WPA-Enterprise uses 802.1X+EAP for authentication, but again replaces WEP with the more advanced TKIP encryption. No preshared key is used here, but you will need a RADIUS server. And you get all the other benefits 802.1X+EAP provides, including integration with the Windows login process and support for EAP-TLS and PEAP authentication methods.
WPA2 is the latest thing on the scene. Instead of WEP, it uses Advanced Encryption Standard (AES), the government standard for security. If it’s good enough for the Pentagon, it’s probably good enough for you! Like WPA, the newer WPA2 can be used in either Personal or Enterprise modes, and has so far proven difficult to attack.
Wireless security is just as critical for your business as having a lock on the front door, and finding the balance between security, accessibility, and cost of ownership can be tricky. Consider your needs carefully, and don’t put it off. Every day that you run your network open is another day you’re at risk. Well-designed and implemented security involves minimal hassle and a whole lot of peace of mind, and that’s good for you and your customers.
Steve Riley is a senior security program manager in the Microsoft Security Business and Technology Unit. You can reach him at firstname.lastname@example.org
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.