Keeping data secure and safe from unauthorized access is the raison d'être for an entire security industry, and the risks increase in the wireless world. Default passwords, lack of security, and many other reasons leave numerous wireless implementations sorely lacking and vulnerable to attack.
Accidental associations
Accidental associations can occur with neighboring networks. The WLAN-friendly Windows XP operating system in particular makes it easy to enable your wireless users to automatically associate and connect to this neighboring wireless network without your users being aware of what is happening. Whether you're talking guilt or network connectivity by association, you need to be aware that you might connect to the wrong network without realizing it and therefore send confidential data across someone else's network. In fact, it's not hard to imagine installing one on purpose in the office next door in order to try and steal your trade secrets. The ultimate defense against this type of attack is to purchase defensive hardware such as that from AirDefense or other vendors.
Eavesdropping
It isn't difficult to eavesdrop on wireless connections, even if it may be illegal or at least unethical. In the wireless telephone industry, as with your wireless network, you basically use radio transceivers to accomplish your call. Your voice or data transmits through the air on radio waves. You receive the data from the person you are talking with the same way. Of course, as you already learned, radio waves are not directional. They disperse in all directions, and anyone with the proper radio receiver can listen in.
You can readily purchase scanners that listen in on analog wireless telephones. Digital communications has made it more difficult, but it is still possible - they are still radio waves. It just takes more sophisticated gear to accomplish the task.
Eavesdropping on your wireless network is trivial, requiring only a strong antenna, along with the normal wireless networking tools you might have, such as NetStumbler and a packet sniffer. The better the antenna, the easier it is to eavesdrop on someone's network. How much information you get is then a combination of your skill and the degree to which the network is protected using encryption or turnkey vendor solutions.
You always need to be aware of what you are transmitting on your cell or wireless network. If you really don't want it known, then you shouldn't use these technologies without strong encryption. If you think about it, the accidental association mentioned previously is a form of inadvertent eavesdropping, isn't it?
Man-in-the-middle attacks
A man-in-the-middle attack is made possible by a rogue agent acting as an access point to the user and as a user to the access point, ending up in the middle of the two ends. All information is then routed through the rogue agent. Man-in-the-middle attacks work in wireless networks in part because 802.1x uses only one-way authentication. There is an implicit trust that the access point you are connecting to is the correct access point. When a man-in-the-middle attack occurs, that trust is abused to trick you into connecting. Your connection is then forwarded to the real access point you wanted to get to, completing your connection and allowing you to go about your business. Meanwhile, all your traffic is being captured and viewed.
Hijacking
Hijacking is similar to the man-in-the-middle-attack. Unfortunately, hijacking is fairly easy to do, especially if users are connecting to a free wireless access point in a hotel or coffee shop.
While sitting in a coffee shop sipping a latte, connect a laptop to the wireless network. Instead of doing the normal activity of opening a browser on the Web, open up a scanning tool to see who else is connected. You might use a security tool called NMAP or one called Look@Lan to see what else is on the network.
After you find some computer addresses, probing them for open ports is easy, and, unless they are running firewall software or intrusion detection, they'll never know. After you locate open ports, it becomes a matter of time to see whether you can access the data on the machine, using open shares they may have left available or a myriad if hacking tools. Most workstations and laptops are poorly secured and therefore fairly vulnerable to attack. Using a free wireless network is one way to be hijacked. There are numerous tools for performing this sort of attack, including:
- Superscan
- SNScan
- Look@Lan
- Nessus
- Netcat
Using network security best practices
The following list gives an brief overview of measures to take to protect your network:
- Install a properly configured firewall between the wired infrastructure and the wireless network.
- Use bridges, switches and gateways to segment the network.
- Use Layer 2 switches in lieu of hubs for AP connectivity.
- Do not connect wireless access points to hubs.
- Disable DHCP.
- Ensure that management traffic destined for APs is on a dedicated wired subnet.
- Configure SNMP settings on APs for least privilege (that is, read only).
- Disable SNMP if it is not used. SNMPv1 and SNMPv2 are not recommended. Use SNMPv3 and/or SSL/TLS for Web-based management of APs.
- Use a local serial port interface for AP configuration to minimize the exposure of sensitive management information.
- Deploy intrusion detection agents on the wireless part of the network to detect suspicious behavior or unauthorized access and activity.
- Use static IP addressing on the network.
- Perform comprehensive security assessments at regular and random intervals (including validating that rogue APs do not exist in the 802.11 WLAN) to fully understand the wireless network security posture.
- Turn off communication ports during periods of inactivity when possible.
