Nội dung

Extending and Maintaining Coverage 149 do anymore to help the coverage of our wireless networks anymore than we can our cellular phone services—but sometimes we can, as this chapter has hopefully illustrated for you. Be careful what you wish for. Increased coverage means increased exposure of your network to others, and others to your network. Once you get it out there, you want to ensure that only the intended users have access to your system and do not abuse it. While you expand your wireless network, be wary of not only the regulations of power limitation and tolerance of a shared resource, but also the access control and security risks that come with opening the gate on your once wired-only network to the general public. This page intentionally left blank. CHAPTER 9 Wireless Network Security Copyright 2003 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use. 152 Chapter 9 Any system connected to the Internet is vulnerable to myriad breeches of security. Any network, connected to the Internet or not, is vulnerable to human hacking or biological bugs; that is, the network users. Every wireless network is vulnerable not only to humans, but to other sources of wireless signals, but especially humans. Vulnerabilities to wireless networks include denial of service by incidental or deliberate radio signal interference, denial of service by deliberate sabotage using known and new transmission control protocol/Internet protocol (TCP/IP) threats, and interception and theft of data by decoding wireless signals. These vulnerabilities can affect the host network (via the access point), interaccess point or bridged systems, and client systems. A quick review of the material in Chapter 1 tells us that wireless network systems have little or no protection against unintentional radio signals, or those signals from devices in radio services that have priority over wireless networking signals. Intentional interruption or jamming of any radio signal, with the intent to deny services to other users, is strictly prohibited by law, at least in the United States. Taking or abusing another’s data, or tampering with it, falls into an entirely different set of regulations—depending on how the information obtained is used or inserted into someone else’s network. Wireless networks are especially vulnerable because it is nearly impossible to create physical barriers to contain the radiated signals—at least intentional barriers. It is odd that we should have a technology that is so difficult to deploy to where we want it to go amidst a variety of physical obstructions, yet we are unable to create desired obstructions to keep our desired signal in and unwanted signals out. All of these aspects, and perhaps others not yet imagined or known, create a lot of attention to security issues—a topic that is as timely as it is timeless, as more and more of our daily business and personal lives become digitized, transmitted, stored, shared, and used for myriad purposes. Information security is threatened threefold: denial or lack of information, theft of information, and corruption of information. Covering all three of these in a wired network is a full-time job. Covering them in a wireless network is not only a full-time job, but also an elusive one. Wireless Network Security 153 Threats Physical security of your wireless network traffic is virtually impossible because wireless is an open-air technology, and the spectrum 802.11a and 802.11b uses requires a clear, nearly optical line-of-sight path between two points to be connected. Any physical barrier also creates a barrier to the desired signals, rendering the technology useless—which in itself makes physical barriers threats of their own. You can physically secure most of your equipment much as you would any hub, router, or server, but any external antenna would probably be left exposed—to humans, animals, machinery, and the elements. Theft of Service or Information Theft of service is the unauthorized use of someone else’s network resources—typically hacking onto a neighbor’s local campus, café, or business wireless system to gain free Internet access. This is one of the most obvious reasons wireless system operators impose access control restrictions on their wireless networks. In its simplest form, on an unsecured or loosely controlled network, determining or knowing the service set identifier (SSID) and having or deciphering the network’s wired equivalent privacy (WEP) key is enough to gain access. If the wireless network exists simply to provide Internet access, by firewall or router controls, or there is no significant network infrastructure behind the wireless system, Internet access is all you are giving up. If you have more network infrastructure behind the wireless system, it too is very much at risk. Interception of your network traffic may be done to determine your system’s SSID or WEP key. Once through the basic access control, traffic can be sniffed to collect data that are passing across the network. This may sound a bit cloak-and-dagger, and it could be—if you have personal or business information that is worth something to someone else. Mere interception of data was all it took for some crooks to steal and then abuse credit card information obtained from a retail computer store’s cash register systems. If all a snoop gets is your credit card data, you may be lucky—if the snoop gets enough personal information, you are at risk of identity theft. 154 Chapter 9 On a business network, all sorts of proprietary data go back and forth. Anything from e-mail to program source code to marketing plans or employee salary information may be available. In such cases, it is not only advisable to implement a very tight access control and encryption plan for the wireless network, but you may want to go as far as setting a policy restricting what type of information people deal with when they are using a wireless connection. Once someone has access to your network, he may be able to intervene in the traffic between clients and the network. Intervention, or man-in-the-middle intrusions, are possible by a bad guy sitting in between a client and the wireless system, setting up a spoofing operation to make the client think it is connected to the wireless LAN and the wireless LAN to think it has a valid client out there. The bad guy will pull out and store valid information and retransmit bogus information. It sounds like “Mission: Impossible” tactics here, but this is quite possible, given enough equipment and skill. Denial of Service Denial of service may be accidental or intentional—simply denying clients the ability to connect to a wireless LAN—through deliberate or incidental interference with wireless signals. An appliance as benign as a wireless LAN-unfriendly 2.4 GHz cordless telephone can be a nuisance or a weapon, depending on who is using it and for what reason. Those wanting to use their own wireless LAN will undoubtedly shelve their cordless phone once they determine it keeps them from using their wireless setup. The little old lady across the street may have no clue or care that her cordless telephone is keeping you from enjoying wireless networking. Someone intent on denying you the use of your wireless system will find some way to use one of these phones to keep you off the Internet. A cordless phone is not the only weapon capable of denying you wireless network services. A poorly shielded microwave oven, a legal amateur radio station, or government radio service can break your network in milliseconds. To intentionally deny you service is certainly illegal and also requires that the bad guy knows you have a wireless LAN—by using a tool like NetStumbler to see that you have active wireless gear. Wireless Network Security 155 Someone could intentionally or coincidentally create his own wireless network, overpowering yours, which could also deny you services. Beware that you may also be denying someone, such as a legal amateur radio operator, legitimate use of his radio services by merely operating a wireless LAN, which presents significant apparent noise to amateur radio receivers. Building and geographical obstructions may also deny you service. These are less likely to be used to intentionally to deny you wireless services from a distant location, but are more coincidental or circumstantial. It would seem that only a handful of very rich people would be able to command the construction of a new building just to block your signals. No matter the source, if intentional, denial of service could be done to hurt your business by forcing you off-the-air or making your customers patronize a different café—perhaps even one they would have to pay to gain Internet access through. I realize I may have just spawned a few less than ethical ideas by mentioning such techniques, but if they have not become obvious by now, then you are really not equipped to deal with the situation if it arises. Detection Detecting threats or problems along the wireless path is a twofold process—differentiating between radio signal-related issues and data issues—and the likely impact on service that each may have. The first level of threat is someone finding out you have a wireless network by passively or actively monitoring the airwaves for 802.11 activity. Programs such as Ethereal, that puts a wireless interface into RFMON (receive only) mode—or uses communications test equipment like a spectrum analyzer—are completely passive and their use is undetectable. Passive interception of the data along your wireless LAN traffic may go undetected. There is no practical way to determine if some of the radio energy you are transmitting has been lost to another person’s receiver, to a leaf on a tree, or to atmospheric conditions. You will not lose data packets, but someone else will have been able to watch and catch them as they pass by. 156 Chapter 9 Discovering you have an active wireless network system does not constitute a theft of service, but it could be, if that service is the distribution of copyright or proprietary material with some associated intellectual or monetary value, and someone receives and records that information. This activity is most likely done to obtain information that could be used in other ways—credit card fraud, identity theft, private investigation, invasion of privacy, detecting illegal activity, etc. Actively probing your network with NetStumbler or similar software is also not a theft of service or determined threat, but trying to gain entry onto your network through log-on attempts or remote access schemes is wrong. Both can be determined by using robust logging of all network activity at routers, access points, program, and server logging. A paper titled Layer 2 Analysis of WLAN Discovery Applications for Intrusion Detection (http://home.jwu.edu/jwright/papers/l2-wlan-ids .pdf), written by Joshua Wright of Johnson & Wales University, provides specific evidence that wireless network detection and identification programs like NetStumber leave specific, though illusive evidence of their activity on the networks they identify because they actively probe and ask for information from nearby access points, and this probing is a recordable network activity. The study outlined in Joshua’s paper can be readily implemented and could be quite useful. What you do with the information collected is left up to you—since you cannot readily identify who is running NetStumbler nor determine their intent. With hundreds of people “war driving” and otherwise using wireless systems and programs like NetStumbler, the activity is elusive, if not plain harmless, for the most part. I would not like to see dozens of wireless network administrators combing the streets and shaking the bushes around the perimeters of their networks looking for someone who they think might want to take information from their network. At least here, the person is still innocent until damage is done and the person is proven guilty. That someone can probe your network is a simple call to action to take steps to secure it, at least to the level of equal value of the potential loss you would incur if someone does penetrate your wireless service. This alone should be cause to monitor your network. Using appropriate intrusion detection methods, secure all systems first within with a properly configured firewall; next with adequate access controls, login protections, and file sharing security; then Wireless Network Security 157 virus protection at servers and workstations. They cannot get you if they cannot get to and adversely affect you. Identifying Interference Detecting an interfering signal and discriminating between a legitimate signal source and a possible jammer is nearly impossible without expensive radio test equipment (typically a spectrum analyzer) and a skilled operator that equipment to zero in on signals within the same frequency range as your wireless equipment uses, and determine what type of signal is generating a problem for you. You can use a tool like NetStumbler to determine if another wireless network is operating nearby. This software will tell you the SSID and channel(s) used, allowing you the opportunity to avoid the preexisting channels, but NetStumbler will not tell you specifically about other sources of interference. If the interference is not another 802.11 network, you may only be able to determine a significant loss of your desired 802.11 signal when the interfering signal comes on the air. A spectrum analyzer can show that there is another signal within the same radio spectrum. A skilled radio engineer using a spectrum analyzer may recognize and be able to identify the type of signal present and characterize what type of equipment it comes from. With that information, and use of a directional antenna, the location of the interfering signal source may also be determined. This may be a very expensive undertaking, unless you have a friend with the proper equipment and enough time to assess the situation. Identifying Intervention Intervention into your LAN traffic may be detectable by staging a known data reliability test between two points, or using packet analyzers to determine irregularities in traffic received at one end of your wireless path or the other. Data transmission reliability is something marginally built into TCP/IP, ensuring delivery of data, but not its integrity. Transmitted data should always get to their destination, but the destination has no idea if the data received are what was actually transmitted. 158 Chapter 9 Creating a robust error-checking routine between two points, to verify that the sent data was not tampered with, is part of what encryption and some data protocols are all about. In fact, wireless networking technology provides encryption, but the encryption scheme is weak and vulnerable to simple deciphering, leading to many forms of wireless network abuse. Encryption without a cross-check between sender and receiver does not ensure data reliability. Someone “in the middle” knowing the encryption methods used can intercept good data and send bad data to the destination, almost without detection. The destination will not know it is getting bad data unless it has some idea about what is supposed to be sent, which in most cases is impossible. Web sites and e-mail servers do not know or care if you type www.hotmail.com versus www.hotmale.com. Either may be perfectly legitimate pieces of data, but the recipient system has no idea what you meant to send. Thus, error-checking only works if you control both ends of the communication and know what data to expect between them. And networks, especially the Internet in general, do not work that way. That is left to specific applications. Users and operators of corporate or closed network systems are better off than open or community network users because they have control over the user equipment, applications, and data at each end—giving them more control over the end-to-end environments. Detecting intervention—someone picking up sent data, then corrupting or otherwise replacing what was intended with either garbage or misleading data—requires a detailed look at the data from both ends. Again, this could be implemented as a known data test—sending something that the receiver knows to check against. This may work as a reliable detection if all of the data sent are interrupted and changed before they are received. Smart hackers probably are not going to intervene in every data packet sent. They will look at what is sent, determine if it is of interest and something they want to interfere with, and only then would the data received be different from what was transmitted. In either case, the intervention process takes some time, even if done programmatically, rather than manually. Thus, a latency or delay-in-transit test may be used as a detection method. If, for instance, data packets normally take less than a typical 1 to 10 milliseconds to be packaged, sent, detected, and unpackaged, and you suddenly find that the data path takes longer than that, perhaps 20