Detect rogue access points: unsecured wireless access points negate any effort you've made to protect your network--even implementing firewalls. Here's how to detect them.A BEAT UP VAN PULLS UP in front of a dark office building late at night. A bleary-eyed technician furiously taps away at the keyboard. Like a rat drawn to cheese, his pace accelerates as he gathers information about your network. Within half an hour, he takes control of the domain, and begins hunting for valuable information. Working late into the night, he copies databases and private files. Just before sunrise, he pulls the antenna from the top of the van as the vehicle shudders away from another successful attack. What helped make this attack successful? An employee installed a wireless access point (AP) and left the default security settings, leaving the network wide open. One open AP effectively extends an unprotected wireless connection to the area surrounding your building, compromising any investments you've made to protect the network perimeter. A more sophisticated attacker could use a high-powered antenna to attack from miles away. This potential breakdown of the perimeter defenses has inspired several technologies and methods designed to find weak spots. Rogue AP discovery techniques vary in format and price. In this article, I break them into three categories: war-walking, wireless intrusion detection systems (IDSs), and network layer authentication. War-walking War-walking is the most common approach to detecting rogue APs. It involves walking around the company building(s) with a laptop and wireless network equipment looking for Looking for In the context of general equities, this describing a buy interest in which a dealer is asked to offer stock, often involving a capital commitment. Antithesis of in touch with. unauthorized connections. This isn't a one-time job; it's best to war-walk regularly. This technique requires specialized equipment and software. At the least, you need a laptop with a wireless card and antennas. A spare battery, a global positioning system Global Positioning System: see navigation satellite. Global Positioning System (GPS) Precise satellite-based navigation and location system originally developed for U.S. military use. (GPS) device, and an additional wireless card (with an alternate chipset) are helpful extras. After you assemble the basic equipment, I recommend trying the following software packages: Netstumbler, AiroPeek, Kismet kismet alludes to the part of life assigned one by his destiny. [Moslem Trad.: EB (1963), 13: 418; Pop. Culture: Misc.] See : Fate , and BSD-Airtools. See the sidebar on this page for a discussion of wireless tools. Generally, it takes an experienced technician to use this software effectively, so you might have to outsource this task. If you hire a consulting firm Noun 1. consulting firm - a firm of experts providing professional advice to an organization for a fee consulting company business firm, firm, house - the members of a business organization that owns or operates one or more establishments; "he worked for a to perform the scans, I recommend carefully screening them. Some companies set up a non-networked rogue AP to test the consultants. A good team should easily discover the device using the war-walking approach. Wireless intrusion detection system There are two ways to use a wireless intrusion detection system (IDS) to detect rogue access points. The first involves scanners that use a unique identifier With reference to a given (possibly implicit) set of objects, a unique identifier is any identifier which is guaranteed to be unique among all identifiers used for those objects and for a specific purpose. called a Media Access Control (MAC) address to locate rogue access points. (MAC addresses are like license plates the manufacturer assigns to each access point.) However, this method comes with a weakness: Many access points let the user easily hide the AP's true MAC address through "MAC spoofing." Spoofing lets the access point change its MAC address to any value the user desires. This eliminates the ability to identify an access point by its unique MAC. A Linksys AP can impersonate im·per·son·ate tr.v. im·per·son·at·ed, im·per·son·at·ing, im·per·son·ates 1. To assume the character or appearance of, especially fraudulently: impersonate a police officer. 2. a Cisco AP by simply spoofing the Cisco's MAC address. This means you can't rely solely on MAC scanners to locate rogue access points. In response to MAC spoofing, another method has evolved, providing more reliable results. This method involves establishing a secondary wireless network with the sole purpose of listening for rogue wireless devices. Administrators use a set of sensors to listen for unauthorized traffic. This approach requires a substantial investment to create a physical network of listening devices. For example, with the AirDefense implementation (discussed in the sidebar on wireless tools) you install these listening devices next to existing APs, and configure them via a Web interlace To illuminate a screen by displaying all odd lines in the frame first and then all even lines. Interlacing uses half frames per second (fields per second) rather than full frames per second. . After they're installed, these current generation wireless IDS tools provide good detection, but they still only detect rogue APs after installation. Network layer authentication The final approach goes a step beyond detection to prevention. It takes advantage of security features in the next generation of network protocols called 802.1x. This innovative protocol can require encrypted passwords before a device attaches to the network. It requires careful configuration to avoid serious security flaws. However, proper configurations only let users with the correct information plug a wireless device into the network. A system properly implemented with this final approach provides a preventative approach to achieve a higher level of security and ease of administration. Getting started The first step to wireless security is establishing stronger internal security. You're protecting the network from hostile internal users, as well as other breaches in the perimeter. Second, you should develop techniques and implement a schedule for rogue access point discovery. Finally, you must create strong wireless policies and educate your company's business users about the proper use of wireless technology. The advent of wireless technology makes in-depth security a crucial part of every enterprise, More than ever, companies must carefully protect their networks from the risks, while learning to leverage the benefits. MOBILE BUSINESS BENEFITS The beauty of wireless technology is that it's so accessible. You can find access points and wireless network cards in every consumer electronics store, and the equipment itself isn't too difficult to set up. But, with this strength comes a weakness: This ease of use gives users a false sense of security--literally. Many wireless enthusiasts only know just enough to install the access point. By leaving the default settings, they expose the corporate network to new threats. This opens a direct connection to the network that bypasses any firewalls. RELATED ARTICLE: Strengthening Wi-Fi security. The Wireless Fidelity See Wi-Fi. Alliance has a plan for improving Wi-Fi security. Long the Achilles' heel of the popular wireless LAN A local area network that transmits over the air typically in the 2.4 GHz or 5 GHz unlicensed frequency band. It does not require line of sight between sender and receiver. Wireless base stations (access points) are wired to an Ethernet network and transmit a radio frequency over an area (WLAN See wireless LAN. WLAN - wireless local area network ) technology, security is one of the biggest obstacles to Wi-Fi adoption in the enterprise. For example, Wired Equivalent Privacy Wired Equivalent Privacy or Wireless Encryption Protocol (WEP) is a scheme to secure IEEE 802.11 wireless networks. It is part of the IEEE 802.11 wireless networking standard. (WEP (Wired Equivalent Privacy) An IEEE standard security protocol for wireless 802.11 networks. Introduced in 1997, WEP was found to be very inadequate and was superseded by WPA, WPA2 and 802.11i. )--the encryption mechanism used to protect data on 802.11b networks--is known to have serious flaws. These problems have cast doubt on the WLAN industry. To address this problem, the Wireless Fidelity Alliance is replacing the WEP security standard with an IEEE (Institute of Electrical and Electronics Engineers, New York, www.ieee.org) A membership organization that includes engineers, scientists and students in electronics and allied fields. standard called Wi-Fi Protected Access (networking, security) Wi-Fi Protected Access - (WPA) A security scheme for wireless networks, developed by the networking industry in response to the shortcomings of Wired Equivalent Privacy (WEP). (WPA WPA: see Work Projects Administration. WPA in full Works Progress Administration later (1939–43) Work Projects Administration U.S. work program for the unemployed. ). WEP uses fixed keys that are easy to attain via commonly available software such as Netstumbler. In contrast, WPA uses Temporal Key See session key. Integrity Protocol (TKIP See WPA. ), generating a new key for every 10KB of data transmitted over the network. WPA will be integrated into 802.11i. "This approach allows the industry to bring a strong, standards-based security solution to the market today while giving the IEEE 802.11 Task Group I the time to complete and finalize the full 802.11i Robust Security Network amendment to the existing wireless LAN standard. Security is, and will continue to be, the highest priority for the Wi-Fi Alliance (Wi-Fi Alliance, Austin, TX, www.wi-fi.org) A membership organization founded in 1999 devoted to certifying 802.11 wireless Ethernet devices for interoperability. The Wi-Fi CERTIFIED logo on a wireless radio (PC card, access point, etc. and for the industry," says Wi-Fi Alliance Chairman Dennis Eaton. The WPA standard is backward-compatible with equipment already in use. Most vendors are expected to offer firmware and software updates for Wi-Fi certified See Wi-Fi Alliance. products currently in use. Wi-Fi-certified products using WPA will appear on the market in the first quarter of 2003. 802.11i will offer a new version of the Wired Equivalent Privacy (WEP) security protocol that uses a 128-bit key instead of the 40-bit key currently in use. The Wi-Fi Alliance is a non-profit organization A non-profit organization (abbreviated "NPO", also "non-profit" or "not-for-profit") is a legally constituted organization whose primary objective is to support or to actively engage in activities of public or private interest without any commercial or monetary profit purposes. formed in 1999 to certify interoperability of 802.11 products and to promote them as the global wireless LAN standard. The Wi-Fi Alliance has instituted a test suite to certify that products are interoperable with other Wi-Fi certified products. For more information about the Wi-Fi Alliance, go to http://www.wi-fi.org. RELATED ARTICLE: Wireless tools. Netstumbler Marius Milner http://www.netstumbler.org Free This software package comes with a user-friendly interface for access point discovery. However, Netstumbler doesn't help you detect access points that have beaconing disabled. (Beacons let the access point advertise its existence to the world. Because 802.11b doesn't require beacons to function, you should disable them if possible.) In spite of this shortcoming short·com·ing n. A deficiency; a flaw. shortcoming Noun a fault or weakness Noun 1. , this tool helps even novice users discover access points. AiroPeek NX WildPackets, Inc. http://www.wildpackets.com US$3.495 for a single user license with 12 months of support AiroPeek is a sniffer that provides a tremendous amount of information about wireless traffic. The designers at WildPackets have done a good job creating an interface and robust filtering system to help users sort through all this data. The latest version detects both 802.11b and 802.11a traffic. BSD-Airtools Dachb0den Labs http://www.dachb0den.com Free BSD-Airtools is a sniffer software package for 8SD-UNIX systems. This comprehensive set of tools includes a wireless sniffer, a packet capture tool, a Wired Equivalent Privacy (WEP) key generator A key generator is used in many cryptographic protocols to generate a sequence with many pseudo-random characteristics. This sequence is used as an encryption key at one end of communication, and as a decryption key at the other. , and a WEP cracker. I use this tool primarily when testing WEP key strength. This tool is invaluable, but you must know BSD (Berkeley Software Distribution) The software distribution facility of the Computer Systems Research Group (CSRG) of the University of California at Berkeley. to use it effectively. For more information about WEP and its security implications, see the sidebar on strengthening Wi-Fi security. Kismet Kismet Wireless http://www.kismetwireless.net Free This Linux based tool comes with many of the features of BSD-Airtools, with the exception of the WEP cracking capability. One of Kismet's most useful features is its ability to tie GPS coordinates to maps. I recommend this tool for people comfortable with Linux, but still learning BSD systems. AirDefense AirDefense, Inc. http://www.airdefense.net Prices range from US$15,000 for a basic system up to US$79,000 for enterprise solutions. This hardware solution uses a system of access points to act as a listening network designed to detect new, rogue access points on the network. This requires the expense of establishing a second network of listening devices, and a central device for collecting data. However, depending on the size of your company, the price may be reasonable when compared with war-walking your entire campus every few months. John Eder gained invaluable consulting experience working in the security and technology solutions practice at Ernst & Young, LLP LLP - Lower Layer Protocol . While with Ernst & Young, he also earned his Cisco Certified Network Administrator (CCNA See Cisco certification. ) and Certified Information System Security Professional (CISSP (Certified Information Systems Security Professional) The award for successful completion of an examination in computer security administered by the International Information Systems Security Certification Consortium (ISC)2. ) certifications. John now works as a system security consultant for Experlan Corporation. He is active in the security community, presenting and writing on wireless and application security. John's latest research focuses on methods for rogue access.johneder@solaero.com. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion