Wednesday, October 7, 2009

Wireless Security

Wireless technology based on the various IEEE 802.11 standards is becoming ubiquitous in the home and workplace. While most offices will have I.T. staff who understand the security implications of implementing a wireless network, there are still many businesses that have poorly configured equipment, resulting in a vulnerable system.

If there are businesses still in the dark when it comes to wireless networking, what about the average home user? Almost all wireless access points purchased by consumers will work "out-of-the-box", providing an easy way to extend the range of your home network. However, it is highly unlikely that the configuration used will include any network authentication or encryption, allowing anybody to connect and use the networks resources (Internet, file-shares, printers, etc.). If the unauthorised user is of the Black Hat persuasion, they may attempt to compromise any system they find on the network - a home P.C. would provide a wealth of information about the owners of the network.

In order to protect a wireless network, it is necessary to understand the configuration options available.

Change Default SSID

The Service Set Identifier (SSID) of a wireless network is the network name - on most access points, the default is simply the make and/or model of the device. It is prudent to change this to something unique and that doesn't make it possible to identify the owner of the wireless network.

Disable SSID Broadcast

It is possible to disable the broadcast of your SSID - however, due to the nature of wireless networks, it is still possible to extract this information from the packets of data being exchanged between machines on the network through the air. Therefore, this is not a security option and can be disregarded when configuring a router.
In fact, it has been shown that configuring a wireless network to not broadcast it's SSID can actually have an impact on it's performance - read this pdf.

MAC Filtering

All network adapters have a quasi-unique address encoded into the hardware that takes the form xx:xx:xx:xx:xx:xx, with each "xx" a hexadecimal value between 00 and FF - this is the card's MAC address. It is possible to configure most wireless access points with a list of MAC addresses, and either permit or deny access to network cards with corresponding addresses. However, as it is possible to change the MAC address of a network card using a machine's operating system, this would not take long for a determined hacker to bypass.

WEP - Wired Equivalent Privacy / Wireless Encryption Protocol

Despite the name, WEP does not offer the same level of privacy as a wired network - in fact, it's far from it. Essentially, WEP encrypts traffic on a wireless network using either a 40 bit or 104 bit key. Client machines can also be forced to authenticate to the network using the key (Shared Key authentication); however, it is more secure to have no network authentication (Open authentication), and rely on the encrypted traffic to secure access to the LAN's resources. This may seem counter-intuitive, but it is very easy to derive the network key by capturing the entire authentication "handshake" that occurs between the access point and client machine.
WEP has been proven to be extremely easy to crack, in fact, this author was able to crack a network that he had "protected" using WEP with a 40 bit key in approximately 10 minutes. Where possible, WEP should be avoided in favour of stronger forms of authentication and encryption.
To find out more about WEP, follow this link.

WPA2 - Wi-Fi Protected Access

WPA was created after the flaws in WEP were uncovered - it implements most of the IEEE 802.11i standard - it was originally intended as an temporary solution while the standard was still in it's draft stages. A second version, WPA2, implements the entire standard, but does not work with some older network cards. Networks that implement either of these benefit from much stronger client authentication and data encryption than those that rely on WEP. To authenticate to the network, WPA/WPA2 provide a myriad of Extensible Authentication Protocol (EAP) options, which allows authentications to be passed off to a dedicated machine - each user of the network can use a different set of credentials. However, this is not practical for the home, or for small businesses, so another method of authentication is available - the Pre-Shared Key (PSK). This just requires that an arbitrary, pre-determined, key be input to each station on the network, which is then used to authenticate when joining the wireless LAN. When using this mode of authentication, it is important that the key used should be composed of at least 20 characters, and consisting of lower and upper case characters, numbers and symbols (e.g. !,=,+) - otherwise, the key is vulnerable to discovery by brute-force attacks.

It is possible to implement any combination of these methods to protect your wireless network; apart from WEP and WPA, which are mutually exclusive. However, as mentioned previously, MAC filtering and disabling the SSID broadcast are extremely easy to bypass, and should only be used in tandem with WEP or WPA, if used at all. An optimal configuration for a consumer would be to simply change your SSID from it's default value and implement some form of WPA-PSK; ideally WPA2-PSK, as long as all your hardware supports it.

If you possess both the knowledge and resources, it is highly recommended you opt for the WPA2-Enterprise solution using the EAP-TLS method of authentication. This is the most secure of all the EAP methods, using SSL certificates to authenticate the client machines to the network, but also the server to the client; preventing man-in-the-middle style attacks where a malicious user sets up a rogue AP. This method requires the most configuration, as a certificate authority must be use to issue certificates for all the devices that wish to use the wireless network.
The other EAP methods are slightly easier to configure, however, it's important to note that if you intend to use MSCHAP as the inner authentication method, you will need Active Directory as your directory server. This is because the passwords supplied by an MSCHAP client are an NTLM hash, which can only be interpreted by Microsoft's directory service.

Wireless security is an important subject, however, it's not one that's well understood by most end-users. Hopefully this article will have helped explain the options available to people. Feel free to contact the author if there are any questions you may have regarding the subject.