The BBC recently had an article on wireless networks, and how many companies which deploy them fail to enable basic security features. While having open WiFi networks is advantageous for travelers and other people with laptops, who might want free internet access while traveling, basic precautions should be taken by most companies or individuals deploying WiFi equipment.
“An average 33% of the wireless networks found by RSA and NetSurity researchers in London, Frankfurt, New York and San Francisco had not used basic security systems.”
WiFi, due to the low-cost and relative ease of installation for the latest equipment, has an annual growth rate of 66%, according to a survey by NetSurity and RSA Security. Another reason for the high growth rate is the convenience of WiFi for laptop users. Most new laptops come with WiFi capabilities built-in. It is often easier and less expensive for a company to deploy several WiFi access points to allow their workers with laptops Internet access, than it is to wire the various workspaces with enough additional network dataports.
Most companies fail to realize that their installation of WiFi has essentially exposed a part of their network to the public, even people who are physically a good distance away from their building. A few years ago, a colleague of mine and I went WarDriving through the Washington, DC metro area. Using an 18dB gain parabolic grid antenna, we were able to sample networks from as far away as a half-mile.
As a general rule, especially in an enterprise, the WiFi network should be a separate network from the wired network, with full firewall security separating the two. Networks are only as secure as the weakest point in their security. Having a DMZ is often too much work or too expensive for basic home users. A DMZ setup is highly recommended for SOHO users. If you’re running your business on it, you should be able to afford the security.
WiFi networks have three basic features which can be enabled to provide some security.
The first is the Service Set Identifier or SSID. This is essentially the name of the WiFi network.
Change the SSID from the default to something which is not easily guessed. In many cases, the default SSID will tell an attacker what brand or kind of equipment you are using. Linksys, a division of Cisco, uses “Linksys” as their default SSID. Knowing what equipment is being used makes attacking it much easier.
Don’t set the SSID to your name, the name of your company or the address of the company. The first reason is simple—if an attacker knows who you are—it is easier for them to get information about you. The other reason is also for security—physical security—if your network is discovered by a wardriver, and it identifies your physical location—it also tells them there is a house, apartment or business with some expensive computer equipment there. While, I haven’t heard of any thieves using wardriving to identify possible targets, it has probably happened.
Turn off the SSID broadcast. It is far easier to attack a network which is shouting out it’s name, than it is to attack one which you’re not even sure is there. Some companies believe that changing the SSID and turning off the SSID broadcast is enough. I tend to disagree. This would be security through obscurity—generally a bad idea. edit:Some people believe that it is better to leave the SSID broadcast enabled, as to provide more convenience for users, I disagree, the fewer the people who know about a network, the lower the chances of being attacked….there is no sense in attracting unwanted attention to yourself.
A caveat about turning off SSID broadcasts. Windows XP-based computers seem to have an issue with WiFi networks which have the SSID broadcast turned off. It seems the Windows XP driver will occassionally disassociate itself from the connected WiFi network. This seems to be more problematic in setups where there are multiple WiFi networks to choose from, and the preferred WiFi network is not broadcasting the SSID, but other nearby networks are doing so. This does not seem to affect Windows 2000-based machines. edit: Apparently, this has been fixed in Windows XP SP2, but as I don’t generally run Windows XP, I haven’t verified this.
The second layer of defense is encryption. Currently, there are two forms of encryption available for WiFi networks: Wired Equivalent Privacy (WEP), and WiFi Protected Access (WPA). A third standard, WiFi Protected Access v. 2 (WPA2) should be available as soon as the 802.11i standard was approved in June of 2004.
WEP was the original security standard, and it was found to have a serious weakness based on the re-use of the Initialization Vector algorithm. It also uses a static key, either 40-bits or 104-bits in length. It has been succeeded by WPA for the most part.
Update: Chopper, a new revised attack algorithm for WEP encrypted networks has brought the time required to break the WEP encryption down by an order of magnitude. You can read more about Chopper here.
WPA was the response of the WiFi industry to the weaknesses in WEP. WPA supports 802.1x authentication—through RADIUS servers—and can base authentication on a hardware security token or through a directory, such as Windows Active Directory. It also uses the Temporal Key Integrity Protocol (TKIP) for encryption—resulting in encryption using a time-limited, evolving key. This reduces the possibilities of the brute force decryption allowed under WEP.
WPA2 is the successor to WPA, and is essentially a superset of WPA. It supports AES encryption, in addition to the TKIP encryption. I have not yet used or seen equipment which was WPA2-capable.
There are still some security weaknesses with the association handshake of the WPA protocol, but it is considered more secure than WEP. The security weaknesses appear to only affect WPA installations which do not use a RADIUS server. Unfortunately, this is the majority of WiFi installations. Wireless networks will always be less secure than wired networks. Use a WPA pre-shared key that is complex—that contains upper case and lower case alpha, numeric and punctuation characters. Do not use one that is based on the company or family name, street address or any other public information.
MAC Address Filtering
The last common defense is the use of a Media Access Control (MAC) address filtering. A MAC access control list can restrict access to the WiFi network to a set of WiFi cards you have authorized for access. While MAC addresses can be spoofed, a good MAC access control list provides one more hurdle for the hacker to jump. Computers connecting over a WiFi ethernet bridge may need their MAC addresses added to the WiFi MAC access control list to enable them to function properly. This depends on the specific router and firmware.
Remember that no security measures you can take can stop a determined, professional hacker. The main purpose of enabling these security measures is to:
- Prevent amateur hackers from gaining access to your network
- Prevent downstream liability from damage caused hackers from using your network to launch attacks on other networks.
- Prevent bandwidth abuses by unauthorized users
- Help with legal prosecution of hackers attacking your network
Some courts have decided that if computer administrators take no protective measures, they can not prosecute for damages caused by otherwise unauthorized use of the computer equipment. Although these decisions were based on attacks on computer systems, they probably extend to cover computer networks—after all a router is just a specialized computer.
Part of the problem is the frequencies used by the WiFi equipment are public-spectrum and unlicensed. If the network is setup without any security precautions, some courts may decide the “hacker” has the right to use the network as it is using public spectrum. Some courts may decide—unless some precautions are taken to prevent intrusion into what is otherwise a public space—no trespass can be deemed to have taken place—after all, how is someone supposed to know that this set of public airwaves aren’t for public use, unless they are told.
Another reason to want to secure your WiFi network is secondary liability. If an unauthorized user launches an attack on another computer or network from your WiFi network, you are the one that the attack will be tracked back to. If you can not show that you have taken at least the basic security precautions, then you may be held liable for any damages caused by the attacker. With terrorism and identity theft on the rise, why should we make it easier for the criminals to gain anonymous Internet access if it can be easily prevented.
Other basic security measures to take:
Change the default router password. Do not use your SSID as the router password. In many cases, the default password for a given router is easily obtained from the manufacturer’s website.
Turn off remote router configuration. This is off by default on most new routers, but it should be confirmed. If remote configuration of the router is required, I would recommend you get one that has hardware VPN capability, and that you configure the router through a VPN-connection to a machine running VNC or other remote control software. Do not pass the VNC or remote control ports through the router, as that will defeat most of the firewall’s effectiveness.
Turn off the WAN ping response. This makes detection of the router more difficult from the internet.
Change the SNMP community strings. Not all routers support SNMP configuration.
Turn off or limit the number of DHCP addresses served by the router. If the attacker can’t get an address, he has to guess the IP subnet address structure before he can attack the network.
Change the LAN network address from the default settings. This makes it harder for an attacker to guess the network’s IP subnet.
More advanced security measures:
There are other measures you can take to make WiFi access more secure.
Tailor the antenna and access point placement to reduce WiFi signal footprint and distance. Yes, this is contrary to what many SOHO users want to do, which is maximize coverage with minimal equipment, but the farther away a signal can be seen, the easier it is to be hacked without realizing it. This is one reason the shorter-ranged, higher-cost 802.11a equipment is still used in enterprise settings.
Turn the equipment off when it isn’t being used.
Setup a VPN and require the WiFi users to log into the VPN for WiFi access. This will generally require more equipment and have higher initial costs than simpler WiFi setups. It will greatly increase security, if properly configured. This will generally require a RADIUS server or VPN concentrator.
Use a wired router between the WiFi router and any hard-wired equipment. This is an effective, low-cost method to reduce the chance your hard-wired network machines can being hacked in the case of someone breaking into your WiFi setup. This is mandatory if you want to run a low-security or open WiFi network.
All of the machines, whether Mac, Linux or Windows-based, should be running a personal software firewall and anti-virus software.
A couple of other observations:
Hardware DMZ networks are more secure than DMZ port forwarding setups.
Some of the newer SOHO routers have fail-over and/or load-balancing capabilities. This may be important if your Internet connectivity is critical to your business.
Check with the manufacturer’s website for updates to your router firmware. Versiontracker.com has listings for many of the more popular router firmware updates. You can search by manufacturer.