WISDOM Basic Security Measures

AP Secure Set Identifier (SSID) broadcast. This is the name of the wireless network. Although a unique name is not required, most system administrators will want to change the SSID from the default name that comes installed on the AP. In order for the AP to communicate with the station, both station and AP must have matching SSIDs.

The broadcast of the SSID to the world from the AP can be used by a hacker as a first step in gaining the information required to exploit a WLAN. If a WLAN is not configured to operate as a closed system, it will respond to clients with the "Any" SSID assigned or broadcast the SSID to the clients at large, resulting in an unacceptable exploitation risk. Although an equipped adversary can capture the SSID identity parameter over the wireless interface, it should be changed to prevent unsophisticated adversary attempts to connect to the wireless network.

Change AP SSID factory default, set as a "closed" system. A closed system is one that does not respond to clients with the "Any" SSID assigned, nor does it broadcast the SSID to the clients at large. Instead, as the client scans for APs in a range with which to associate, it expects the correct management frame containing the SSID that matches its own configuration.

AP default setting of "no encryption." You should always use 802.11b's built-in WEP encryption. Only a determined hacker with the proper equipment and software will be able to crack the key.

An AP default setting of "no encryption" will result in data transmitted in the clear, which will increase the ease of monitoring and/or compromise. As a result, any person with a laptop, PC card, and range-extended antenna may be able to see and access the WLAN.

Change the AP encryption setting from 40-bit to 128-bit encryption. Encryption settings should be set for the strongest encryption available in the product, depending on the security policy of the organization. Typically, APs have only a few encryption settings available: none, 40-bit shared key, and 128-bit shared key (with 128-bit being the strongest). Encryption as used in WEP, simple stream cipher generation, and exclusive-OR processing does not pose an additional burden on the computer processors performing the function. Although encryption with the largest cryptographic key space is normally recommended because of its greater effectiveness, this is not true for 802.11 WEP because of poor cryptographic design using IVs and a flawed algorithm; however, high encryption levels are recommended nonetheless.

AP shared key authentication. Shared key authentication supports authentication of station devices accessing the network as either a member of those who know a shared secret key or a member of those who do not. Shared key authentication accomplishes this with the use of the WEP privacy mechanism. Therefore, this authentication scheme is only available if the WEP option is implemented.

Shared key authentication presents greater risk because many vendors use default shared keys that could be exploited by unauthorized devices to gain unauthorized access to the network. When using shared key authentication, make sure that the keys are unique.

Ensure that shared key authentication is not enabled. Use other alternatives to authentication, such as username and password, instead of shared key.

AP Ethernet MAC access control lists (ACLs). While an AP or group of APs can be identified by an SSID, a client computer can be identified by the unique MAC address of its 802.11 network card. The MAC address is the physical address of the radio in the AP. You can find this label attached to the device.

MAC addresses can be spoofed because they are passed as cleartext from a wireless NIC to an AP and can be easily captured. This can result in unauthorized access to the WLAN. Malicious users can spoof a MAC address by changing the actual MAC address on their computers to a MAC address that has access to the wireless network. A MAC address is a hardware address that uniquely identifies each computer (or attached device) on a network. Networks use the MAC address to help regulate communications between different computer NICs on the same network subnet. Many 802.11 product vendors provide capabilities for restricting access to the WLAN based on MAC ACLs that are stored and distributed across many APs. The MAC ACL grants or denies access to a computer using a list of permissions designated by each specific MAC address; however, the Ethernet MAC ACL does not represent a strong defense mechanism by itself.

Ensure limitation or nonuse of MAC ACLs for authentication to the WLAN. To increase the security of an 802.11 network, each AP can be programmed with a list of MAC addresses associated with the client computers allowed to access the AP. If a client's MAC is not in this list, the client will not be allowed to associate with the AP.

AP ad hoc mode. Ad hoc mode is used when you are setting up a wireless NIC solely for the purpose of communicating with other wireless NICs in a peer-to-peer fashion. When two stations are close enough together to communicate and their network adapters are set to ad hoc mode, the stations form a basic service set (BSS).

Wireless devices can run in either "infrastructure" or "ad hoc" mode. Ad hoc, or peer-to-peer, networks use a different mode in the wireless NIC to permit wireless clients to communicate directly with each other, rather than communicating through a wireless hub. Ad hoc networks carry significant potential dangers because they are a system of interconnected computers that exist beyond the security control of the WLAN. Peer-to-peer ad hoc network connections between devices with WLAN cards do not require an access point or any form of authentication from other stations with which it connects. Although ad hoc networks can be a convenient feature for users to transfer files between stations or connect to shared network printers, they present an inherent security risk where a station in ad hoc mode opens itself to a direct attack from a hacker who can download files from the victim's station or use the authorized station as a conduit to the entire network. A wired-side network monitor is not capable of detecting these risky networks because they never touch the wired network.

Ensure that ad hoc mode has been disabled. This will mitigate the possibility of computers connected to the WLAN that are beyond its security control.

AP user password.

Login to the AP by unauthorized users is possible if no password is required. Although you must use the default password when you first open the configuration pages of the AP, immediately change the password to avoid a security breach because a default password is generally known or readily available.

Implement strong AP user passwords with both alphanumeric and special characters and a minimum password length of eight characters. In addition, password expirations should be set at 30 days.

AP placement. Some APs and associated software come with basic tools to optimize placement of APs; however, with multiple APs in large areas, this process becomes rather difficult. It is important to keep the range of the AP within the physical boundaries of the complex that the WLAN is housed in to mitigate the risk of unauthorized interception of signals.

APs incorrectly placed inside buildings can be susceptible to interception by unauthorized users. It is important to consider the range of the AP when deciding where to place an AP in a WLAN environment. If the range extends beyond the physical boundaries of the office building walls, the extension creates a security vulnerability. An individual outside of the building, perhaps someone "war-driving," could eavesdrop on network communications by using a wireless device that picks up the RF emanations.

Use a site survey tool to measure the range of AP devices, both inside and outside of the building where the wireless network is located, to ensure that coverage does not extend beyond the intended coverage area. Site survey tools that can be used to measure and secure AP coverage are commercially available. The tools, which some vendors include with their products, measure the received signal strength from the APs. These measurements can be used to map out the coverage area and are especially useful for identifying and controlling the coverage range inside a building or room to help prevent the wireless signals from extending beyond the intended coverage area. Organizations could additionally use directional antennas to control emanations.

AP administrative password. The default AP administrative password is generally known and/or readily available; hence, it is inherently insecure.

Login to an AP by an unauthorized user is possible if no password is required or the default password is not changed. This can lead to unauthorized access to and/ or control of the AP. On some APs, the factory default configuration does not require a password (i.e., the password field is blank). Unauthorized users can easily gain access to the device if there is no password protection.

Implement strong AP administrative passwords. Ensure that a strong (i.e., an alphanumeric and special character string at least eight characters in length) administrative password is used on all AP administrative passwords. Also, change the passwords on a regular basis, preferably every 30 days.

AP reset function. This function returns the AP settings to their default settings. This function will also cancel out existing security functions on an AP.

The reset function allows an individual to negate any security settings administrators have configured in the AP by returning the AP to its default factory settings. An individual can reset the configuration to the default settings simply by inserting a pointed object (such as a pen) into the reset hole and pressing it. If a malicious user gains physical access to the device, that individual can exploit the reset feature and cancel out any security settings on the device. The default settings generally do not require an administrative password, for example, and may disable encryption. The reset function, if configured to erase basic operational information such as IP address or keys, can further result in a network DoS, because APs may not operate without these settings.

Ensure that the required security settings (i.e., "encryption enabled") are in place and haven't been negated by inadvertent or intentional use of the reset function. Having physical access controls in place to prevent unauthorized users from resetting APs can mitigate the threats.

AP default shared key. Many vendors use identical shared keys in their factory settings. This default setting is easily exploited.

Using a default shared key setting is a security vulnerability because many vendors use identical shared keys in their factory settings. The manufacturer may provide one or more keys to enable shared key authentication between the device trying to gain access to the network and the AP. A malicious user may know the default shared key and use it to gain access to the network.

Change the default shared key setting to another key to mitigate the risk. For example, the shared key could be changed to "456812" instead of using a factory default shared key of "111111." No matter what their security level, organizations should change the shared key from the default setting because it is easily exploited.

AP channel cross-over. Interference can dramatically affect the performance of any WLAN. In general, interference is either caused by radio devices operating in the same bands or by thermal noise, or both. For a single AP, thermal noise is the only source of interference. With multiple cells, however, there is interference from adjacent channels and cochannels. The overall impact of this interference depends on the number of available frequency channels and cell deployment.

Vendors commonly use default channels in their APs. When implementing an AP, it is possible that a different wireless network AP that is using a channel within five channels of the new AP could cause DoS attacks from radio interference. If two or more APs are located near each other, but are on different networks, a DoS can also result from radio interference between the two APs. DoS attacks can result in degradation or loss of service.

Ensure that the AP channel is configured for at least five channels difference from all other nearby APs on different networks. If a nearby AP(s) is using the same channel or a channel within five channels of itself, then choose a channel that is in a different range.

Encryption key length. The RC4 algorithm and its implementation by the WEP protocol have weaknesses that can be exploited. There are two weaknesses in the algorithm: (1) it contains a large number of inherently weak keys, and (2) part of the key can be exposed to an attacker if he or she can observe enough encrypted traffic.

40-bit encryption algorithms are trivial to crack, which can lead to the compromise of data transited over the WLAN; however, 40-bit encryption is better than none. The 40-bit algorithm that is part of WEP is particularly vulnerable to attack because of its inherent design flaws.

When possible, enable 128-bit encryption or higher. The key sizes advertised by the manufacturers of WLAN equipment can be confusing; many vendors advertise 64-and 128-bit WEP support, but actual key space is limited to 40 and 104 bits because the IV uses up 24 bits of the advertised space in original WEP implementations.

WLAN eavesdropping. Eavesdropping is when the attacker simply monitors transmissions for message content. An example of this attack is a person listening into the transmissions on a LAN between two workstations or tuning into transmissions between a wireless handset and a base station.

Eavesdropping on wireless network communications could come from either inside or outside the network if AP range extends beyond building boundaries (e.g., eavesdropping could occur from such areas as parking lots outside of buildings). Eavesdropping can result in acquisition of information that optimizes someone's ability to gain unauthorized access and/or control of the network.

1. Implement encryption.

2. Ensure proper placement of APs.

Bridge-to-bridge eavesdropping. APs may also provide a "bridging" function. Bridging connects two or more networks together and allows them to communicate to exchange network traffic. Bridging involves either a point-to-point or a multi-point configuration. In a point-to-point architecture, two LANs are connected to each other via the LANs' respective APs. In multi-point bridging, one subnet on a LAN is connected to several other subnets on another LAN via each subnet AP.

Eavesdropping can result in acquisition of information that optimizes an attacker's ability to gain unauthorized access to and/or control of the network. Enterprises may use bridging to connect LANs between different buildings on corporate campuses. Bridging AP devices are typically placed on top of buildings to achieve greater antenna reception. The typical distance over which one AP can be connected wirelessly to another by means of bridging is approximately two miles. This distance can leave a particularly large area in which an adversary can place equipment to intercept unprotected traffic.

1. Implement encryption to limit eavesdropping on wireless bridge-to-bridge communications.

2. Ideally, the APs should be strategically placed within a building so that the range does not exceed the physical perimeter of the building and allow unauthorized people to eavesdrop near the perimeter.

Media Access Control (MAC) spoofing. A common and easy form of an identity theft is to "spoof" the MAC address of an authorized user. An unauthorized user can change the MAC address of his or her station to enter the network as the authorized user.

Absence of MAC filtering can result in unauthorized access and/or control of the network. An unauthorized user can change the MAC address of his or her station to enter the network as the authorized user. MAC spoofing can also be used to defeat wired-side monitors that search for rogue access points by probing the network for unauthorized MAC addresses. An employee can hide rogue access points from these network scanners by changing the MAC address of the access point to the MAC address of an authorized station. The rogue access point attached to the enterprise network can appear as an authorized station. MAC filtering occurs at Layer 2 of the OSI reference model, which means that traffic bound for any address is ultimately attempting to breach Layer 3 in order to gain wider access to network resources. If the filtering is on Layer 2, none of the processing of the extraneous bits is required. Logging of access attempts is also important so that the administrator is alerted to potential attempts to hack the network.

Apply MAC filters. Upon attempting to associate with the AP, the MAC filter will recognize the untrusted MAC and prevent traffic from traversing the AP to the trusted network. The client may still be able to associate to the AP, but the traffic is stopped.

Rogue (unauthorized) access points. Because an adversary doesn't require physical access to be attached to a WLAN, it is easier to obtain access through unauthorized devices attached to wireless networks than those that are wired. An otherwise secure WLAN can be made insecure by the attachment of a rogue access point that is beyond the security control of the network.

Rogue (unauthorized) access points connected to the network often lack standard security controls, can bypass otherwise good security controls on a network, and can circumvent an enterprise's security, thus resulting in unauthorized access to and/or control of the network. When an employee or hacker connects a rogue access point to a network, the rogue AP allows just about anyone with an 802.11-equipped device onto the corporate network, very close to mission-critical resources.

1. Conduct electronic reconnaissance for the presence of rogue access points.

2. Deploy 802.1x MAC authentication.

Filtering controls. Care must be taken in setting up the filtering rules, enforcing them properly, and testing their effectiveness. Poorly implemented protocol filters can result in intermittent access, no access, and/or no security.

Simple Network Management Protocol (SNMP), Internet Control Message Protocol (ICMP), and other protocols can be exploited without the proper filtering controls in place. Absence of proper filtering controls can result in unauthorized access and/or control of the network.

SNMP has become the de facto standard for Internet work management. Because it is a simple solution, requiring little code to implement, vendors can easily build SNMP agents to their products. SNMP is extensible, allowing vendors to easily add network management functions to their existing products. SNMP also separates the management architecture from the architecture of the hardware devices, which broadens the base of multivendor support.

ICMP is an extension to the Internet Protocol (IP) defined by RFC 792. ICMP supports packets containing error, control, and informational messages. The PING command, for example, uses ICMP to test an Internet connection.

Implement AP protocol filtering. Limit all but the most common protocols. Limited protocols include SNMP to limit access device configurations and ICMP to prevent the use of large packets to mount DoS attacks.

Security patches/upgrades. All technology, either existing or newly deployed, should have the latest security patches and upgrades installed in a timely manner. The lack of patches and upgrades make the associated technology subject to the same vulnerability that the patch or upgrade was intended to fix or protect against.

Vulnerabilities exist when security patches and upgrades are not kept up to date. The more time their deployment is delayed, the longer the exposure to risk.

Ensure that the latest security patches and upgrades are installed on all of the hardware and software components of the WLAN.

SNMP agents. SNMP controls read/write privileges to APs. If an unauthorized user were to gain access, they could write data to the AP, resulting in a data integrity breach.

Some wireless APs use SNMP agents, which allow network management software tools to monitor the status of wireless APs and clients. The default SNMP community string that SNMP agents commonly use is the word "public" with assigned "read" or "read and write" privileges. Using this well-known default string leaves devices vulnerable to attack. If an unauthorized user were to gain access with read/write privileges, that user could write data to the AP, resulting in a data integrity breach.

Change the default SNMP parameter. If SNMP is not required on the network, the organization should disable SNMP altogether.

Dynamic Host Control Protocol (DHCP) server. A DHCP server will not necessarily know which wireless devices have access, so the server will automatically assign the laptop a valid IP address. A malicious user could easily gain unauthorized access on the network through the use of a laptop with a wireless NIC.

Automatic network connections involve the use of a DHCP server, and the DHCP server automatically assigns IP addresses to devices that associate with an AP when traversing a subnet. For example, a DHCP server is used to manage a range of TCP/IP addresses for client laptops or workstations. After the range of IP addresses is established, the DHCP server dynamically assigns addresses to workstations as needed. The server assigns the device a dynamic IP address as long as the encryption settings are compatible with the WLAN. The threat with DHCP is that a malicious user could easily gain unauthorized access on the network through the use of a laptop with a wireless NIC. Because DHCP servers will not necessarily know which wireless devices have access, the server will automatically assign the laptop a valid IP address.