CSO: The Resource for Security Executives
|
|
Sweep Time for Rogue Access PointsLeft unguarded, wireless networks will expose your company secrets to the outside. Luckily, there are tools to root out unauthorized access points.BY SIMSON GARFINKEL By now, practically every CSO and IT manager on the planet is familiar with both the benefits and the risks of 802.11 or Wi-Fi wireless networking. I wrote about them here back in January 2003 (see "On the Same Wavelength" at www. csoonline.com/printlinks). But the wireless world has changed a lot during the past two years, and it's time for an update. Dropping a wireless access point on your office LAN is an easy way to provide mobile Internet access to people using laptops and handheld computers—many of which now come with built-in Wi-Fi support. What's more, a new generation of Wi-Fi telephones is about to hit the market. Some of these will be cellular phones that automatically switch to lower-cost voice over Internet protocol (VoIP) whenever they can pick up a Wi-Fi signal; others will be Wi-Fi only phones that work like standard cordless phones, except that they will work anywhere on your organization's wireless LAN. Unfortunately, an unguarded access point can open up your network to people outside your company's four walls. These access points can be dangerous because they are invariably placed behind the corporate firewall. And most organizations are pretty lax when it comes to matters of internal security. Organizations have struggled to deal with this double-edged wireless sword. Some require that the media access control (MAC) address of every wireless card and device be registered; access points are then configured so that only the registered machines can have network access. (Recall that both wireless and wired Ethernet systems use a 48-bit MAC address to identify the manufacturer and serial number of every network card. These addresses are typically written as 12 hexadecimal numbers separated by five colons, such as 00:03:6d:14:f1:c7.) An alternative
strategy is to divert all wireless users to a "captive portal"—that is,
a Web registration form that forces users to provide a user name and
password. Some of these systems will then go further and make users
consent to a "terms of service" agreement that promises, among other
things, that they won't use their newfound wireless access to hack the
network. Unfortunately, captive portals don't work too well with those
wireless phones and other Wi-Fi devices that don't have Web browsers.
This is something to keep in mind if you are considering installing a
"portal" system within the next year: Make sure that what you get today
can grow with tomorrow's unanticipated network needs.
Replacing WEP is a growing number of new technologies that add encryption to a wireless network—including Wi-Fi Protected Access (WPA), the Extensible Authentication Protocol (EAP), and 802.11i, among others. This is a fast-evolving area; you'll find an excellent, highly technical summary of these standards at www.drizzle.com/~aboba/IEEE. Indeed, wireless security standards are evolving so fast that most security-conscious administrators I know have decided not to trust them. Instead, they plan to use their traditional Virtual Private Network (VPN) software to secure their wireless networks. Essentially, these administrators assume that the wireless network is just another hostile network out there on the Internet. They put the wireless access points outside their firewalls and make their users tunnel in. The beauty of the VPN approach is that once those access points are safely off the organization's internal LAN, they can be opened up to business partners, traveling salesmen, spouses and just about anybody else who wanders into your building with a wireless-equipped device. Visiting executives get a lot less testy when their appointment is 25 minutes late to the meeting if they can spend that time checking e-mail or reading CNN. A few organizations have gone the other direction and banned wireless devices entirely—or, at least, they've tried to. But banning wireless is hard because the technology has gotten so dirt cheap. Forbid your employees from using wireless and you might discover rogue access points showing up in the ceilings or hidden underneath people's desks. I had the great pleasure of using one such rogue access point when I spoke at an Ivy League university earlier this year. The school's network group had a policy of "no unauthenticated devices" on the WLAN, so one of the professors just set up a little access point and hid it behind a few books in the office. The signal was weak but it covered a few couches, a meeting area, and, of course, all of the professors' offices. The antiwireless policy didn't keep visitors from having wireless access; it just kept them from having exceptionally good wireless access. Rogue access points are certainly more of a concern in the business world than in academia. But discovering a $29 access point underneath Jenny's desk doesn't mean that Jenny put it there—perhaps it was Mike over in accounting, whose desk is only 20 feet away from Jenny's. Jenny may not notice any difference in that tangle of wires underneath her desk, and even though he's 20 feet away, Mike still gets the access point benefits because the 2.4GHz signal used by Wi-Fi easily penetrates walls. So consider talking to everybody in wireless range when you find these rogue access points to increase your chances of nailing the right person.
Of course, the clever companies that manufacture this wireless gear have already thought about this problem and have come up with a solution: MAC address cloning. Because many cable modem companies already do authentication based on the MAC address, most wireless access points allow you to set the MAC address of their wired Ethernet ports to any address of your choosing. After all, there's nothing wrong with using the same address as somebody else, just as long as both machines aren't on the same physical Ethernet at the same time. Naturally, the Ethernet address that Mike wants to use is the address for Jenny's computer. He'll just unplug Jenny's computer, plug it into the wireless access point, tell the device to "clone" Jenny's MAC address, and then plug the access point into the wall. This "cloning" feature comes in handy when you are setting up a home wireless network on a cable modem, but it's also great for setting up rogue access points in the business environment. One way to defeat cloning is by using the 802.1x network port authentication. Support for 802.1x is built into Windows XP, but not many older operating systems or most print servers. So perhaps Mike will have to leave Jenny's computer alone and instead unplug her networked workgroup laser printer. The more common way to fight rogue access points is to scan for them. You can do a pretty good job just walking around the office with a copy of NetStumbler, a free wireless auditing tool available from wireless networking and security portal NetStumbler.com. Uber-hip network managers run MiniStumbler on handhelds running the Pocket PC operating system and a plug-in CF wireless card. For more serious monitoring, though, some organizations are using commercial tools like Aruba Wireless Network's RF Director. Meanwhile, a growing number of wireless infrastructure providers are adding the ability to monitor for rogue access points directly to their offerings. Once you've found that access point, you might identify the perpetrator by unplugging the device and seeing who comes around to fix it. Be aware, though, that the perp might not actually be inside your organization—wireless LANs are an ideal tool for economic espionage. Or perhaps he simply set it up a year ago, and has since moved on to another job. Remember, if you
don't provide wireless access to your employees, these days it's all
too easy for them to provide service for themselves. Danger.
As the article mentions the infrastructure vendors are providing better security measures these days. However, while these measures are great improvements they are only available within your facilities. Even if you provision blanket RF coverage throughout your enterprise with the IDS capable APs or dedicated sensors, you have significant exposure. Is this better? Absolutely! Where's the issue? How do you monitor and protect those assets when they move outside your facility? Even if you have a "no wireless allowed" policy and you monitor in your facilities are you certain your users are not using the technology outside? Most wireless clients are mobile devices. Many mobile devices are purchased to go outside your well designed and monitored coverage areas. Many mobile devices now migrating from optional WLAN capability to defalt WLAN capability. What can be done? We should see the same improvement in personal firewall technology to enable WLAN specific IDS/IPS and centralized policy management. If we don't see it, shouldn't we demand it from our vendors? Can you imagine what the WLAN IDS/IPS data we would see? Detailed input from your mobile nodes on the true security threats while inside or outside your facilities. That's something we should see from our best vendors.
Phil Livingston In my opinion the key to effective wireless security is robust mutual authentication, covered by strong crypto. The one approach that I know works well today is the layer two security approach offered by companies like Air Fortress, Cranite and Funk. This technique masks most of the layer two frame to cover up the "interesting" bits with strong crypto. It also has the advantage of being media independent thus disaggragating the security package from wireless and is therefore useful over any media, not just wireless. It also means that you can use most any decent 802.11 card and access point w/o worrying about security issues. There are disadvantages, you must install and key a client on the client PC and you need a decent back end authentication infrastructure but you * can * keep the bad guys out of the soft underbelly of your network. We have had excellent results deploying this combination in some pretty critical networks. In my opinion the next big wireless shootout will be between 802.11i and the layer two folks. There are advantages on both sides, it will be interesitng to watch.
Jeff Tyler CISSP
Brian Dearle |
Simson Garfinkel, CISSP, a Boston-area technology writer, can be reached at
Your comment will be displayed at the bottom of this page, at the discretion of CSOonline.