Securing Your Enterprise WLAN

Great flexibility of WLAN makes also it prone to high security risks. We detail here various free tools that expose loopholes in your network and recommend measures to do away with such security risks

Tuesday, June 03, 2008

Wireless Local Area Network (WLAN) is fast becoming popular and is being implemented in various organizations. Its flexibility and portability enable users to access their files, network resources and Internet. WLAN can be installed in places where conventional LAN cannot be implemented. Ease of scalability is another reason of its popularity. On top of all these benefits, the
increased bandwidth and data transmission rate (similar to Ethernet speed) is pushing growth and popularity of WLAN.

Most commonly used WLANs are based on IEEE 802.11 family of standards with IEEE 802.11 being the first in family developed in 1997. IEEE 802.11b was the first widely used standard that operated in 2.4-2.48 GHz band and supports 11 Mbps. Today most commonly used standards are IEEE 802.11b and 802.11g. Standard IEEE 802.11 permits devices to establish networks on fixed access points (AP) or as peer-to-peer networks. This standard defined two network topologies; the infrastructure network and ad hoc network. The former is to extend range of wired LAN by providing access of resources (on LAN) to mobile devices while the latter is to communicate among mobile devices.

Security of 802.11 WLANs
Three basic security services defined by IEEE for WLAN are Authentication, Confidentiality and Integrity. Authentication is achieved in this standard by two ways; open system authentication and shared-key authentication. In open system authentication technique, the access point accepts the mobile device without verifying its identity, mobile device or client is authenticated if it responds with a MAC address. This type of technique is highly vulnerable to attack from unauthorized clients. Shared-key authentication is a cryptographic technique based on simple challenge-response scheme. In this technique, access point generates a random challenge and sends it to mobile device. Mobile device encrypts this challenge with the shared key and sends response back. Access point then decrypts this response and compares it with sent challenge and allows access only if both of them are same.

Privacy is achieved with encryption of actual data, for example WEP (wired equivalent privacy), uses the RC4 symmetric key stream cipher algorithm to generate data sequence.

Finally integrity is achieved with the help of simple Cyclic Redundancy Check (CRC) approach- for example a CRC-32 or frame check is computed on each data packet prior to transmission.

On receivers end CRC is recomputed and compared with original message and if they do not match message is declared modified.

Tools to identify vulnerability of WLAN
Here we will discuss various tools to show loopholes in WAN security. We start with some commonly used softwares that detect wireless signals, then we will try some softwares that can crack WEP (commonly used protection). One greatest source of these tools is backtrack2 that has many preconfigured tools to monitor wireless networks or crack WEP key. This open source linux live distribution is widely used for penetration testing.

This is graphical representation of traffic on NetStumbler with time and day on x-axis and signal to nose ratio on y-axis. Left side displays SSIDs and chanels with various filtering criteria at the bottom

NetStumbler
NetStumbler is a free tool for Windows that can detect wireless networks (WLAN) working with 802.11a, 802.11b and 802.11g standards. It can be easily downloaded from mentioned URL and installation is simple. Only issue that one can face is compatibility of this tool with your hardware, firmware version, driver version and operating system. There are some tried and tested configurations that one can refer to at www.stumbler.net/compat/. Note here NetStumbler works on Windows 2000, Windows XP or latter.

Interface of NetStumbler is easy to understand and by clicking on scanning button one can detect all the WLAN's that are in vicinity. It also gives valuable information like MAC address, SSID, channel, speed etc. This information can be utilized by malicious user to carry out attacks on the WLAN such as blocking of frequency using frequency jammers (as channel is known) or sniffing packets to break encryption.

Kismet
Kismet is a free tool that can be used as WLAN detector, packet sniffer and intrusion detection system. Kismet can sniff 802.11a, 802.11b, 802.11n and 802.11g traffic with any card that supports raw monitoring. This tool can be downloaded from mentioned URL or one can use #yum install kismet command on linux terminal to install it, then to configure it open 'kismet.config' from '/etc/kismet' folder. Find the statement 'source=none, none, addme' in the code and change it to 'source=orinoco, eth1, root' where first parameter defines source type, second interface card and third defines name of user. To use it just write
# kismet
on command terminal. One can get backtrack2 that is a linux operating system with kismet preconfigured in it (we used this option). Once kismet starts running it can be further customized by pressing 'H' key.

Kismet lists out all the WLAN signals in vicinity and also gives size of data packets transferred, IP range and channel of transmission	Interface of AirSnort shows packets that are transferred and BSSID. Specific channel can be selected by 'channel', traffic of other WLANs can be scanned by selecting 'scan'

With help of this tool you can view all the AP's of the network around you and therefore it can be used as AP detector by malicious user.

Page(s)   1  2