Networks carry all sorts of confidential data, so security is a highly important part of any wireless network structure. Security ensures that the same level of data integrity and confidentiality as a wired network are maintained. Without properly implemented security measures, any wireless network adapter coming within range of another network adapter or access point can join the network. The amount of non secure wireless access points is alarming – a recent study showed how over 90% of Access Points have little or no security enabled. I once did a little research of my own and found that 3 out of 5 of the public access points I checked had either no security at all or WEP - which allowed me to crack the key within 15 minutes using freely available tools on the Internet.
So why is there such a high lack of security? Well, I would say it’s probably down to laziness and lack of knowledge; people are not aware of these things. Especially in small companies and at home, people tend to have the “so long as it’s up and running” attitude which means that if after using the wireless setup wizard they are able to browse the internet or access files remotely from a wireless device then all is well… BIG mistake! To overlook wireless security is like leaving the front door to your house permanently open. Without any - or little - security that’s essentially what you’re doing; allowing anyone in range to sniff your network packets, read your e-mails, use your internet for free, and even gain access to your files.
With the introduction of push-button security for home user products, we can expect to see an increase in the implementation of wireless security among wireless router users. The main aim behind push-button security is to provide a simplified and enhanced method of setting up and building a home network. With so many people – particularly home users – failing to notice the importance of security as part of their wireless network building, push-button becomes a means of enabling some form of security with a click of the mouse or touch of a button. While one may begin to question the strength of such security, another will remind you that something is better than nothing at all!
If you’re reading this and still use WEP, check for a driver and/or firmware update for your hardware and, if possible, change to WPA security now! Also, keep in mind for the next time you purchase new hardware, make sure the product supports WPA TKIP at the very least.
Wireless Security Threats
What are the threats that we face today with regards to wireless networks? An informative list has been compiled by the National Institute of Standards and Technology as part of their documentation on Wireless Security. Hereunder is an extract from that document.
To date, the list below includes some of the more salient threats and vulnerabilities of wireless systems:
- All the vulnerabilities that exist in a conventional wired network apply to wireless technologies.
- Malicious entities may gain unauthorized access to an agency’s computer or voice (IP telephony) network through wireless connections, potentially bypassing any firewall protections.
- Sensitive information that is not encrypted (or that is encrypted with poor cryptographic techniques) and that is transmitted between two wireless devices may be intercepted and disclosed.
- Denial of service (DoS) attacks may be directed at wireless connections or devices.
- Malicious entities may steal the identity of legitimate users and masquerade them on internal or external corporate networks.
- Sensitive data may be corrupted during improper synchronization.
- Malicious entities may be able to violate the privacy of legitimate users and be able to track their physical movements.
- Malicious entities may deploy unauthorized equipment (e.g., client devices and access points) to surreptitiously gain access to sensitive information.
- Handheld devices are easily stolen and can reveal sensitive information.
- Data may be extracted without detection from improperly configured devices.
- Viruses or other malicious code may corrupt data on a wireless device and be subsequently introduced to a wired network connection.
- Malicious entities may, through wireless connections, connect to other agencies for the purposes of launching attacks and concealing their activity.
- Interlopers, from inside or out, may be able to gain connectivity to network management controls and thereby disable or disrupt operations.
- Malicious entities may use a third party, un-trusted wireless network services to gain access to an agency’s network resources.
- Internal attacks may be possible via ad hoc transmissions.
As with wired networks, agency officials need to be aware of liability issues for the loss of sensitive information or for any attacks launched from a compromised network.
~ Source: NIST, United States of America
As you can see, there are vulnerabilities on all levels, some of which wouldn’t normally come to mind, so we must be prepared for the worst and not take anything for granted. One prime example would be, with reference to the above point about how handheld devices are easy stolen - we can take the simple preventative measures to combat such a threat. Don’t carry round highly sensitive information on your portable device; only take what is absolutely necessary. Leave other data on the corporate or home network, or on a removable storage media. Also, if available, enable the auto lock feature (with a password) and add a PIN number to the device; so that when you switch it on, you will have to enter a Personal Identification Number before it starts up.
Wireless Security Considerations
The following are a few things you need to ask yourself when implementing security for your wireless network.
- Do I have some form of logging enabled? Logging is important as it will help you to trace who is trying to gain unauthorized access to your network. It will also act as evidence when prosecuting a suspected intruder in court.
- Do I allow guest access? If you do then be sure to separate your corporate network from the WLAN by placing the WLAN in your DMZ or outside the network and implement a firewall between them. Also, don’t forget to log and audit guest user activity so that you can see if any abuse is taking place.
- Where does my wireless signal end? Perform a site survey and find out exactly where the signal starts and ends; know your boundary.
- Do I know what’s on the network? Document everything and when a new access point is attached to the current network make sure you know about it. In larger companies, departments implement their own WLAN by adding an access point to the network and not informing the administration department, thus potentially opening up a hole in the network.
- Have I performed a Wireless LAN security audit? Make sure you scan your network to identify known vulnerabilities, and if any are found, take action as soon as possible!
- Are the wireless clients safe? Introduce, or amend a current security policy that will require mobile users to keep their laptops protected with antivirus and firewall software.
Tips for Securing your Wireless Network
There are a numbers of things you can keep in mind which will help to lessen the likeliness of a breach of security in your wireless network. I have compiled a list of tips that I think will be of use to anyone who has a wireless network.
- As should be the case with a wired network, only share what is needed. Don’t share entire partitions, share folders instead. Also, depending on the level of confidentiality, you should always password protect anything that is shared using an archive tool.
- If you’ve implemented the WEP authentication method, be sure to use the Shared Key method, every so often change your WEP keys and make them as difficult as possible.
- Be sure to secure your wireless access point with a strong password; don’t just leave the default one in place!
- Disable access point administration via wireless clients. This means that any changes to the access point configuration would have to be done from a machine attached to the wired network.
- On smaller networks, use MAC address filtering as an added means of security. Don’t rely on this feature alone but use it in conjunction with another security method.
- Change the default SSID to something that is understandable to you but not to outsiders. This will make it slightly more difficult for people to connect to your network. Be sure to change it to something that won’t give too much information away about your network.
- Disable SSID broadcasting. This feature is meant to make it easier for clients to connect to the network because the network name can be automatically discovered by the client operating system. This means anyone in range of your access point will automatically know your network exists.
- If you need wireless access in your building alone, try putting the access point in the centre of the building to decrease the chance of a wardriver* being in range of your signal.
- If you’re willing to see a dip in speed then using a VPN would be the more secure option for a wireless network. This is fairly quick and easy to setup and has great benefits, as opposed to other means of security.
* A wardriver is a person who roams around with his/her laptop to gather information about a wireless system.
That concludes my overview of wireless security article. We took a look at why security is so important for wireless networks, I gave you some general tips for securing a network and showed you the different threats that one may face. Despite what most people think, a wireless network can be secure. However, there is a dire need for better education and stronger security implementations.
If you are new to the wireless world then I hope you have learned how vital it is to implement security, whatever the network size. If you’ve worked with wireless before and/or have a wireless network setup then hopefully this article has reiterated the need for you to keep on your toes and up to date with wireless security.
For information about the various security methods available, please see my Introduction to Wireless Networking Part 3 - Security, General Tips and Tricks.