JAWUG

I've been getting quite a few queries regardig Security on 802.11 wireless links. Below I will attempt to cover as much of these as possible.

RF is quite easy to intercept, even if it is a point-to-point link, you will still get a bit of signal leakage from the antennas, and you will pick up the signal if you stand somewhere in between the two points.

So, lets say I want to do something nasty on your wireless link. Here's what I'd have to do.

1) Find the link. This isn't too hard, using a simple tool like NetStumbler+ or KisMet+ will do this for you relatively easy.

2) Take a look at the Data that is going over the link. Again, this is pretty simple. KisMet+ will do packet dumps of all traffic. From this you'll be able to see plain-text passwords, such as those used on FTP servers and Telnet.

3) Become part of the Link. A little trickier, as you'll have to be able to transmit to the AP as well as receive from it. Move around until you get a decent signal (really easy if you're standing right near it), join the network.

4) Start using the Link for your own purposes. Once you've achieved 3, 4 is pretty simple. All you'll need to do is figure out the correct network settings (IP, subnet, gateway) and you'll be able to start using the network as if it was your own. If the network has an internet connection, you could use that too!

So how do we prevent this from happening? I'll go through each of the 4 steps, and give suggestions on how to make it harder for a person to achieve them.

1) You cant really hide your radio waves. In 802.11, we have an ESSID, which is how you identify your AccessPoint+. In order to connect to an AccessPoint+, you need to know the ESSID. You can hide ("cloak") the ESSID of your AccessPoint+. Although this doesn't make it impossible to figure it out, it does make it a bit inconvenient.

2) Here, we have 2 ways to do it. The first, is to encrypt the actual Wireless Link. But the encryption methods that most AccessPoints+ provide are quite flawed. WEP was supposed to be the solution, but not too long after it was introduced, it was cracked. It doesn't take very much traffic sniffing before even the 104-bit keys used in WEP-128 (the IV is 24 bits, and is passed in the clear in every packet) can be discovered. WPA was an improvement on WEP, but basically the only differences between them are the way that keys change. WEP keys don't change until the admin visits the AccessPoint+ and all clients to change it; WPA changes the key on clients and the AccessPoint+ at a preset interval. The best you can hope for is that the person trying to break in either gives up, or finds someone else's (unencrypted) network to break in to. But if they're determined, they can do it without too much work.

The second method is to encrypt everything that goes over the link. Using secure protocols such as SSH instead of Telnet, SFTP or SCP instead of FTP, TLS enabled SMTP, etc. Or by setting up some sort of encrypted VPN or IPSec over the link.

3) Becoming part of an Infrastructure network is pretty simple once you've got the ESSID and your signal is good enough to associate. You can stop this from happening a few ways. Make sure you're not blasting out signal to areas where its not needed. Use the correct type of antenna for the job. Most AccessPoints+ can do MAC address filtering, so that only wireless devices with certain MAC addresses can connect. This is probably the easiest way, but again, not 100% secure as there are ways to change the MAC address of a network card. 802.1x is the most secure way, using certificates (more on this to come), but not supported by all vendors.

4) Consider treating your Wireless network as you would the Internet. Firewall it heavily, do proper authentication on all your services.

Hopefully, your wireless network wont be the first target, because its too much work for the crackers!

Good luck