Wireless networks are becoming de rigeur, something you must have if
you want to keep up with the Joneses. You can now surf the Web and pick up email
while sitting in an airplane lounge, have your laptop in a conference room with
no unsightly cables, or read email while in bed. The cost of these networks
has plummeted. Base stations like the Apple AirPort can be had for $300, and
the cards are around $100.
However, like
all network technologies, they both solve problems (like where to run cable) and create
a lot of new ones (like how to communicate securely). Unfortunately, most sites
seem to have implemented 802.11 wireless networks without much thought
for security.
A Wild Wireless World
The first problem is controlling access to your network. With Ethernet and
related (cable-based) technologies, your site was usually physically
secure, helping to prevent people from plugging their laptops, etc. into
your network. Thus, even if someone managed to plug into your network, they had to manually discover who else was attached. While this wasn’t impossible,
its difficulty improved the chances of you noticing an attacker (since they couldn’t use
completely passive techniques).
With a wireless network, unless your building
is externally shielded or has a large open area around it, an attacker will
be able to gain “physical” access to the network just by bringing
his laptop into proximity with your network (up to several hundred feet). An attacker can as well use entirely passive methods to monitor network traffic.
All they need, again, is a laptop with a wireless card and slightly modified software
to grab all the wireless data — instead of ignoring any traffic not destined
to their computer.
Another largely unremarked problem is that of wandering wireless users. They are likely to leave their wireless card in and operating, meaning an attacker
can set up a rogue wireless network to which the users attach themselves. If
the users then send any unencrypted data, or have open file shares, for example, they potentially open themselves up for an attack.
Attackers can also set themselves
up as servers on other legitimate networks, and by running a rogue DHCP server
redirect all traffic through their machine or commit other attacks. Users will
open themselves up to monitoring of how much data they transfer, what kinds of
data, when they transfer it, and so on. If your network is not properly secured,
people will use it as a free ISP and likely commit illegal acts
to gain access to the Internet.
“But WEP Will Encrypt Everything”
This is going to be the biggest mistake made with wireless networking. Once it is
up and running, people will be quite pleased with themselves and not likely to
spend real time or effort securing it. Since this form of networking is
new and not very well understood — not that much of networking is well understood — administrators are likely to think, “well, it has 128-bit WEP encryption,
so we’re secure.” Unfortunately, it is very easy to set up a network, wireless
or otherwise, so that everything works as it should, data moves happily between
systems, and the whole thing is insecure.
You can configure a wireless network to broadcast
its name, or not. It’s probably wise not to broadcast, so that people are less
likely to accidentally discover it. You can configure most wireless access points
to allow only certain MAC addresses (the way Ethernet 802.11 uses MAC addresses).
As with Ethernet, MAC addresses can be spoofed, but restricting them
will keep out casual explorers. Sadly, WEP is rather weak. And while it is not yet possible to download
a software package that will let you break into wireless networks at will, it
is only a matter of time before something like this is released. And of course,
such tools exist in private hands already.
So How Do I Secure It?
I’m glad you asked. It’s quite obvious at this point that traditional methods are
out. Controlling physical access to the wireless network is inadequate unless you shield
your building or have a large (empty) buffer zone surrounding it. Depending
on WEP to authenticate users and control access is probably a lost cause in
the long term. While it will keep out casual attackers, anyone that actively
targets you will probably get their hands on the tools needed to break WEP.
At this point we are stuck with an Ethernet network that essentially uses hubs
to move traffic around. While hub-based networks are exceedingly prone to security
problems, they can be secured.
The best solution is probably to require the use
of IPSec for all hosts on the wireless network. While this will incur a
performance penalty, it will solve problems of impersonating users, monitoring
user data, and so on. Various IPSec implementations support the use of certificates
and other forms of strong authentication. Windows 2000 sports a combination of
(integrated) Kerberos, IPSec and Microsoft authentication methods along with
policy support (i.e., traffic to foo must be encrypted, but not to bar). With
almost universal support for IPSec, and the generally low speeds of 802.11 (maximum
11 megabits, probably shared with others), this plan shouldn’t be too difficult to implement
or sell to management.
Beyond this, you should place a firewall between the wireless
network and the rest of your network. Unless a user authenticates properly, they
should be contained to the wireless network, where they can do less damage. A
system similar to this is used by the University of Alberta for its public
Ethernet networks, as described in a paper by Bob Beck. Essentially, users authenticate
to a server via Kerberos — which is resistant to passive monitoring and active
attacks — after which the firewall allows connections from that IP address for
a while (closing it down after a period of inactivity). However, this still allows
the attacker access to others on the wireless network, so end security on user
machines is still important.
Wireless networks are inevitable. 802.11, Bluetooth, and others are coming.
They all in general have poor security models and flawed implementations. Relying on their built-in security is not a good long-term choice. Relying
on wireless features such as frequency hopping and spread spectrum radio is
also not ideal, as the same consumer equipment can usually be used to monitor
it.
Sad to say, you will likely need to “roll your own” security
solution. But even if this goes as planned, an attacker will still be able
to attack your wireless users. Any user with a wireless machine should probably
be forced to meet a baseline set of security requirements: having a
firewall installed, disabling services, and so on. Hopefully the next major wireless
network protocol will be done correctly.