Previous Section  < Day Day Up >  Next Section

Dangers of Wireless LANs

While they offer flexibility and functionality that a wired LAN can't offer, they also introduce some unique challenges and dangers to the security-minded network administrator. Here are some things to consider when adding wireless LANs to your infrastructure.

Eavesdropping

The easiest thing for a hacker to do to a wireless network is to gather packets using a wireless sniffer. There is very little you can do about this, barring encircling your building in lead shielding! The designers of wireless networks did think about this, and built into the design an encryption standard called Wired Equivalent Privacy (WEP) so that the data could be encrypted. Unfortunately, a fundamental flaw in the way the algorithm works makes it potentially crackable (one of the tools later in this chapter demonstrates this). So even with WEP running, any data that travels over a wireless network is potentially subject to inspection by outsiders. Someone could listen over your wireless link, sniffing for logins, passwords, or any other data.

Access to Wireless PCs

A wireless link gives potential attackers a vector into a machine on your network. Besides the access points, machines with wireless cards can sometimes be seen from the outside. Using this mode of access, they can launch attacks against a machine that is probably not protected by your firewall and may not be locked down like your perimeter defenses or public servers.

Access to the LAN

This is probably the biggest danger that wireless networks present. If hackers can get access to your LAN via a wireless access point, they often have the keys to your kingdom. Most LANs run an unrestricted DHCP server, so hackers can get a valid IP address and begin exploring your network. They can then run vulnerability scanners or port scanners such as Nessus and Nmap to find machines of interest and to find holes to exploit.

Anonymous Internet Access

Even if hackers are not interested in what is on your LAN, they can use your bandwidth for other nefarious uses. By logging onto your network and then accessing the Internet, they can hack and do whatever damage they wish to do without it being traceable back to them. Any attacks or mischief perpetrated from this connection will be traced to your network. The authorities will come knocking on your door, not theirs. This method of hacking will become more common as hackers realize how hard it is to trace attacks originating in this manner. There is little chance of catching someone coming from a wireless network unless you have expensive triangulation equipment in place beforehand. Unsecured wireless LANs offer hackers the best anonymous access there is.

802.11-Specific Vulnerabilities

In addition to the basic insecurities of wireless LANs, there are some problems specific to the 802.11 standard. Some of these are due to the manufacturer's bad design or default configurations. Other issues are due to problems with the standard's overall design.

Default SSIDs

Each Wi-Fi base station has a specific identifier that you must know to log onto the network. This provides some level of security if it is implemented properly. Unfortunately, many people fail to change the default SSID set by the manufacturer. It is easy to find networks with the manufacturer's default SSID, such as linksys, default, and so on. When hackers see this, they can assume that the administrator didn't spend much time setting up and securing the wireless network.

Beacon Broadcast

Beacon broadcasts are an inherent problem with wireless networks. The base station must regularly broadcast its existence so end user radios can find and negotiate a session, and because the legitimate user devices have not been authenticated yet, this signal must be broadcast in the clear. This signal can be captured by anyone, and at a minimum they then know that you have a wireless LAN. Many models let you turn off the SSID portion of this broadcast to at least make it a little harder for wireless eavesdroppers, but the SSID is still sent when a station is connecting, so there is nonetheless a small window of vulnerability.

Unencrypted Communications by Default

Most wireless LAN devices today offer the option of turning on the built-in wireless encryption standard WEP. The problem is this usually has to be turned on manually. Most manufacturers ship their equipment with it off by default. Many administrators are in a hurry to set up a wireless network and don't take the time to enable this important feature. If a nontechnical person is setting up the network, the chances are almost nil that the encryption will get turned on. There is also the issue of sharing the secret key with all your users, since WEP uses a single key among all users. This can be an administrative nightmare if you have a lot of users connecting wirelessly.

Weaknesses of WEP

Even when the built-in encryption is used, the signal is still at risk of being read. There are some fundamental weaknesses in the implementation of the encryption algorithm in WEP that allows it to be broken after a certain amount of traffic is intercepted. These weaknesses have to do with the way the keys are scheduled. WEP uses weak initialization vectors (IVs) at a high enough rate that it eventually becomes possible to crack the key. Once the encryption is broken, not only can attackers read all the traffic traversing the wireless network, they can probably log on to the network. So while WEP offers some basic protection against casual eavesdroppers, any serious interloper is going to have software to potentially crack the encryption.

    Previous Section  < Day Day Up >  Next Section