Advertisment

Securing Your Enterprise WLAN

author-image
Hiren
New Update

Wireless Local Area Network (WLAN) is fast becoming popular and is being

implemented in various organizations. Its flexibility and portability enable

users to access their files, network resources and Internet. WLAN can be

installed in places where conventional LAN cannot be implemented. Ease of

scalability is another reason of its popularity. On top of all these benefits,

the



increased bandwidth and data transmission rate (similar to Ethernet speed) is
pushing growth and popularity of WLAN.

Advertisment

Most commonly used WLANs are based on IEEE 802.11 family of standards with

IEEE 802.11 being the first in family developed in 1997. IEEE 802.11b was the

first widely used standard that operated in 2.4-2.48 GHz band and supports 11

Mbps. Today most commonly used standards are IEEE 802.11b and 802.11g. Standard

IEEE 802.11 permits devices to establish networks on fixed access points (AP) or

as peer-to-peer networks. This standard defined two network topologies; the

infrastructure network and ad hoc network. The former is to extend range of

wired LAN by providing access of resources (on LAN) to mobile devices while the

latter is to communicate among mobile devices.

Security of 802.11 WLANs



Three basic security services defined by IEEE for WLAN are Authentication,

Confidentiality and Integrity. Authentication is achieved in this standard by

two ways; open system authentication and shared-key authentication. In open

system authentication technique, the access point accepts the mobile device

without verifying its identity, mobile device or client is authenticated if it

responds with a MAC address. This type of technique is highly vulnerable to

attack from unauthorized clients. Shared-key authentication is a cryptographic

technique based on simple challenge-response scheme. In this technique, access

point generates a random challenge and sends it to mobile device. Mobile device

encrypts this challenge with the shared key and sends response back. Access

point then decrypts this response and compares it with sent challenge and allows

access only if both of them are same.

Advertisment

Privacy is achieved with encryption of actual data, for example WEP (wired

equivalent privacy), uses the RC4 symmetric key stream cipher algorithm to

generate data sequence.

Finally integrity is achieved with the help of simple Cyclic Redundancy Check

(CRC) approach- for example a CRC-32 or frame check is computed on each data

packet prior to transmission.

On receivers end CRC is recomputed and compared with original message and if

they do not match message is declared modified.

Advertisment

Tools to identify vulnerability of WLAN



Here we will discuss various tools to show loopholes in WAN security. We

start with some commonly used softwares that detect wireless signals, then we

will try some softwares that can crack WEP (commonly used protection). One

greatest source of these tools is backtrack2 that has many preconfigured tools

to monitor wireless networks or crack WEP key. This open source linux live

distribution is widely used for penetration testing.

This is graphical representation

of traffic on NetStumbler with time and day on x-axis and signal to nose

ratio on y-axis. Left side displays SSIDs and chanels with various filtering

criteria at the bottom

NetStumbler



NetStumbler is a free tool for Windows that can detect wireless networks (WLAN)
working with 802.11a, 802.11b and 802.11g standards. It can be easily downloaded

from mentioned URL and installation is simple. Only issue that one can face is

compatibility of this tool with your hardware, firmware version, driver version

and operating system. There are some tried and tested configurations that one

can refer to at www.stumbler.net/compat/. Note here NetStumbler works on Windows

2000, Windows XP or latter.

Advertisment

Interface of NetStumbler is easy to understand and by clicking on scanning

button one can detect all the WLAN's that are in vicinity. It also gives

valuable information like MAC address, SSID, channel, speed etc. This

information can be utilized by malicious user to carry out attacks on the WLAN

such as blocking of frequency using frequency jammers (as channel is known) or

sniffing packets to break encryption.

Kismet



Kismet is a free tool that can be used as WLAN detector, packet sniffer and

intrusion detection system. Kismet can sniff 802.11a, 802.11b, 802.11n and

802.11g traffic with any card that supports raw monitoring. This tool can be

downloaded from mentioned URL or one can use #yum install kismet command on

linux terminal to install it, then to configure it open 'kismet.config' from

'/etc/kismet' folder. Find the statement 'source=none, none, addme' in the code

and change it to 'source=orinoco, eth1, root' where first parameter defines

source type, second interface card and third defines name of user. To use it

just write



# kismet


on command terminal. One can get backtrack2 that is a linux operating system
with kismet preconfigured in it (we used this option). Once kismet starts

running it can be further customized by pressing 'H' key.

Kismet lists out all the WLAN

signals in vicinity and also gives size of data packets transferred,

IP range and channel of transmission
Interface of AirSnort shows

packets that are transferred and BSSID. Specific channel can be selected by

'channel', traffic of other WLANs can be scanned by selecting 'scan'
Advertisment

With help of this tool you can view all the AP's of the network around you

and therefore it can be used as AP detector by malicious user.

AirSnort



Now we will cover tools that can even crack encryption keys. These tools pose
greater threat to WLAN security as one can easily know about the information one

is sending on network. AirSnort is a tool that can be used to recover encryption

key. It passively monitors wireless traffic and cracks encryption key when

sufficient packets are collected. This tool can be downloaded from the web site

mentioned. For testing purpose we again used backtrack2 that has AirSnort

preconfigured in it. AirSnort is also available for Windows and linux users can

install it using following command

Advertisment

# yum install airsnort



Once properly installed, one can configure the simple interface of AirSnort.
Check channel radio button to monitor packets from a specific channel.' Network

device' should be chosen depending on hardware configuration and 'Drive type' is

to tell AirSnort how it can place network card in monitoring mode. One more

important setting on interface is about 'crack breadth' this option should be

maximized as it defines number of attempts that this tool will take to crack

weak packets. It takes AirSnort approximately 5-10 million packets to crack

encryption key. AirSnort exploits the weaknesses of WEP security in 802.11

standards.

Wicrawl



Wicrawl is a simple linux based AP scanner with a plug-in based architecture
that gives this tool great versatility as plugins performing different tasks can

be attached to this tool. Plugins can be easily implemented using scripts or

externally called program. Wicrawl can be downloaded from mentioned URL. We used

backtrck2 to test this tool; interface is simple with SSID filter option on top

that can be used to filter out SSID's. At this moment number of plugins are

available including 'aircrack-wep-cracking' a WEP cracking feature,

'check_speed' that checks latency of connection ,'check_internet' that checks

internet connection. Due to its plug-in based architecture, this tool poses

greater threat to WLAN security as its penetration power is ever increasing like

it can perform task of WEP cracking with different approaches using different

plugins. Plug-in (apwebcrack) is developed for cracking administrator password

of AP with the help of default passwords.

Interface of wicrawl with plugin

option in tool bar that can be used for different activities. SSID filter on

top is for specific monitoring
Wireshark's interface

elaborately shows data packet movement from source to destination. It also

tries to give details of packets
Advertisment

Wireshark



Wireshark is a network packet analyzer. It captures packet and tries to display
packets data in detail. This tool was built for eithernet packets but now

wireless capture functionality is integrated. Download this tool from mentioned

URL once downloaded installation is fairly simple. We tried this tool on windows

XP professional and using it was easy. Once we are on interface of wireshark to

start capturing packet one has to select interface by clicking on the first

button on toolbar this will list all the available interfaces. For wireless

capture select a wireless interface by clicking on the 'start' button in front

of it. This tool also acts as network detector as it lists out the entire

networks available (click on 'Details'). Types of data packets



captured by wireshark include IP, TCP, UDP etc, and there is filter available to
capture a particular type of data packet. Captured data packet poses great

threat to integrity of information and exposes information that can be critical.

Making your WLAN more secure



Now we will focus on how to make your WLAN more secure. The first major step

that organizations (using WLAN) can take is to make a security policy defining

access rights, criticality of information to be sent on WLAN and security

settings of WLAN equipments.

Proper configuration of access point is critical for having a secure WLAN.

Start with updating the default password of AP to a stronger alphanumeric

password with only administrator knowing it. Always use the strongest encryption

setting available on the product (AP) i.e. if available encryption settings are

none, 64-bit shared key and 128-bit shared key use last one. One greatest

security loophole is the reset function of AP because using it one can easily

negate all the security settings configured on AP as it restores AP back to the

factory settings. Therefore by controlling reset function of AP, WLAN can be

made more secure. Change SSID and disable broadcast SSID feature on AP also

change channel of AP i.e. channel 1, 6 and 11 can be used



simultaneously on closely placed AP's. By changing channels one also secures
his/her WLAN from frequency jamming devices. One more step that can boost

security of WLAN is using static IP addresses and if possible use of MAC ACL

(Access Control Lists) where communication is regulated according to MAC address

of clients.

Security measures implemented on LAN can also be used in WLAN like physical

protection of AP's and mobile clients, regular monitoring of different networks

available and implementation of firewalls. One can also implement IDS (intrusion

detecting systems) in WLAN. IDS for WLAN can be host based or network based.

Advertisment