What Is Wireless Security
Pages: 1, 2

Preventive Measures

Another way of deflecting the attacks is to change the WEP keys periodically. Before an attacker can gather enough information to deduce the keys, the keys themselves change. Unfortunately, WEP does not provide a facility to distribute keys to deployed devices. Traditionally, keys are delivered through some alternate communication method, usually involving a wired network that is considered to be secure. Key distribution is one management problem associated with WEP that causes administrative and security headaches. Another is the management of authorization for deployed devices. Device management is usually done through MAC addresses. A deployed wireless network allows or disallows access to the network by checking the requester's MAC address against an access-control list. Complications arise because most managers administer their access control lists at individual access points, rather than through a centralized database.

This decentralized approach gives rise to a large number of lists. If hardware is lost or stolen, updating the access points individually is time-consuming. Also, access control via MAC addresses has a greater problem: MAC-address spoofing is relatively trivial for the determined hacker or espionage agent to implement. As the above issues illustrate, not only is security flawed, but administration of the security structure in wireless networks is flawed as well.

IEEE 802.11x is an IEEE standard for "port-based network access control." It allows the decision of whether or not to permit network access to be made at the port, the point of contact to the network itself. Until a port is authenticated, it can be used only to pass traffic associated with the authentication process. Authentication can be user-based and managed at a centralized authentication server. In addition, 802.11x provides optional abilities to distribute keys. With its combination of centralized management, management by user instead of device, network protection, and key delivery, 802.11x seems to be the prescription for security, correcting WEP's failings.

The 802.11x protocol specifies Extensible Authentication Protocol (EAP) to carry authentication messages. As "extensible" implies, EAP can carry any number of actual authentication protocols. One example of an EAP authentication method is EAP-TLS. This protocol packages Transport Layer Security (TLS), an evolution of the Secure Sockets Layer (SSL) used in secure web browsing, on top of EAP's message structure. Another example is EAP-OTP, which specifies the use of "one-time passwords." For successful authentication, the entity requesting access to the network and the network's infrastructure must both support the same EAP "flavor." While a deployment requires administrators to consider infrastructure costs and interoperability, the technology is presently available, and deploying a wireless network without it would be a critical oversight.

Security Protections for Your Organization

If your organization wants to establish proper security protections, here are some important guidelines to follow.

• Wireless security policy and architectural design: The security policy of an organization should include wireless networking as a part of overall security management.

• Treat access points as untrusted: There is need for evaluating access points at regular time periods to find out whether they can be treated as untrusted devices. This will involve placing the appropriate firewalls, VPNs and IDS between the access point and intranets or the internet.

• Access point configuration policy: One needs to define the standard security settings for access points before deploying them.

• Access point security assessments: With the help of regular security audits, one can identify poorly configured access points.

Summary

Ultimately, security is everybody's business, and only with everyone's cooperation and consistent practices will it be achievable. Wireless security is a work in progress, so it is essential to administer a wireless network so that it becomes more and more secure. And with more organizations focusing strongly on wireless security, we can only expect to see many more secured wireless networks in the future.

References

The following online resources provide detailed information on wireless security.

• www.wardrive.net
  This site offers information on IEEE 802.11x wireless standards, including a quick checklist on wireless security.

• wireless.ittoolbox.com
  This site offers useful information on various aspects of wireless security, including white papers that provide in-depth details on wireless security.

• netsecurity.about.com/od/hackertools/a/aa072004b.htm
  This site has an interesting article on wireless security. Follow the link for "wireless network security" to learn more about pass phrases and encryption.

• compnetworking.about.com/od/wirelesssecurity
  This site has useful resources on wireless security and details on securing a wireless network.

• www.tml.tkk.fi/Opinnot/Tik-110.501/1997/wireless_lan.html
  This site offers detailed information on security in wireless local area networks. You'll get a clear understanding of wireless standards and the various threats and vulnerabilities to wireless networks, compared with their wired counterparts.

• www.intranetjournal.com/articles/200307/ij_07_10_03a.html
  This article explains how to set up a wireless network, focusing on access points and security.

• www.smallbusinesscomputing.com/webmaster/article.php/1383741
  The ten recommendations listed on this site detail what to do to secure a wireless network.

Swayam Prakasha has been working in information technology for several years, concentrating on areas such as operating systems, networking, network security, electronic commerce, Internet services, LDAP, and Web servers. Swayam has authored a number of articles for trade publications, and he presents his own papers at industry conferences. Currently he works at Unisys Bangalore in the Linux Systems Group.

Return to the Security DevCenter.

Any wireless network security tips to share? Let us know.
You must be logged in to the O'Reilly Network to post a talkback.

Showing messages 1 through 9 of 9.

• Lacking many points
  2006-07-21 09:01:14  skdvr369-1 [Reply | View]
  
  
  This article seemed to miss a lot, I thought. WEP is old news, WPA is usually available and much stronger. RADIUS does not necessarily have cleartext key transmission, and DIAMETER is even more comprehensive tho not mentioned. Discussion of rogue access points, evil twins, etc. was missing. Ad Hoc connections can be prevented by proper configuration of clients. Illegal association can be made more difficult by MAC filtering. And organizations who are serious need to monitor rf activity in their area, not just traffic.

• Just loved it
  2006-04-05 01:31:18  IT_Person [Reply | View]
  
  
  Interesting article. Enjoyed it very much. I rate this 8 on a scale of 10.

• Very informative
  2006-04-05 01:05:54  secure147 [Reply | View]
  
  
  This article was very informative...especially for people who want to get a feel of wireless security. Hoping for many more articles like this.

• A good one
  2006-04-05 00:57:54  techie_06 [Reply | View]
  
  
  First of all, I must admit that there was a clear effort from the author in providing the useful information. And who says that there is no such thing as 802.11x? 802.11x refers to a group of evolving wireless local area network (WLAN) standards that are under development as elements of the IEEE 802.11 family of specifications.
  
  One word of caution from my end : Please donot post the comments just for the name sake. We need to know what is existing and what is not existing before posting the comments.
  
  I will give 8/10 for this piece.

• Disappointing
  2006-04-04 18:06:53  HeraldMage [Reply | View]
  
  
  For a Web posted article, where column length has no "cost", this one should have been more detailed on the actual security methods. And to say that disabling SSID broadcast makes a hacker's life much tougher is laughable. Basic script kiddies even have easy click-and-hack tools now to find hidden SSIDs. Security by obscurity is never reliable, and should not be suggested as such in a Secuirty Center forum. It's far more effective to connect the APs to a firewall and use that to control who can go out, use personal firewalls to protect the clients, and use IPsec VPNs to encrypt the traffic to the eventual wired LAN. Not a bad start, but very very superficial and weak for the usual O'Reilly excellence.

• Errors and omissions
  2006-03-31 21:35:19  imipak [Reply | View]
  
  
  First, there is no such thing as 802.11x - the correct name is 802.1x - and the protocol is a full security protocol, not a port restriction mechanism.
  

  
  Secondly, there is no mention of IPSec - a major player in security that covers both wired and wireless networks.
  

  
  Lastly, the article seems to assume that you have only mobile stations connected to a single wireless access point that is itself connected to a wired network. None of these are necessarily true.
  

  
  Indeed, this is why there are over 150 routing protocols defined for wireless networks, and why the IETF have two working groups - one for mobile computers that may move between wireless access points, and one for where an upstream router may itself be a wireless device.
  

  
  The article, as it stands, would make an excellent first chapter (if the 802.1x error is fixed) for a much longer piece that covers the different types of mobile scenario and what needs to be done in each.
  

  
  However, as a finished piece, I can only give it a 5/10.

• Errors and omissions
  2006-04-11 21:03:57  Matthew Gast | [Reply | View]
  
  
  As security advice, SSID hiding is woefully misguided. All but the most rudimentary analysis tools automatically recover the SSID from network management traffic. Hiding the (unencrypted!) SSID serves only to break client devices and generate calls to the help desk.
  
  Using WEP for anything other than casual security is advice that is years out of date. Networks built today should use WPA or WPA2 pre-shared keys at a minimum. Some devices, including a few small office devices sold at Best Buy, can also use the authenticated key management systems from 802.11i.
  
  Contrary to what the article states, WEP keys can be distributed and refreshed through 802.1X. The first serious 802.1X interoperability demonstration happened in the Interop Labs in May of 2002, nearly four years ago.
  
• Errors and omissions
  2006-04-01 23:14:34  newuser007 [Reply | View]
  
  
  I guess that master's degree hasn't done him much good.

• What about WPA?
  2006-03-31 12:06:02  scottnelson [Reply | View]
  
  
  I was hoping for some information about WPA...