technical document ref# IT006_wifi_s1.html
issue date: 17 feb 2003
by techtolink technical division

How To Build Secure Wireless LAN

Wireless LAN Security

Real-time network protection required for wireless networking

Wireless LANs have experienced tremendous growth since the introduction of the 802.11b wireless networking standard spurred the development of a wide range of "Wi-Fi" solutions developed by network equipment vendors. Flexibility, ease of deployment and low component costs constitute three major drivers for the popularity of WLANs. However, the same flexibility and mobility provided by wireless networking also introduces new security vulnerabilities in addition to those that threaten conventional LANs. For real-time communications like Wi-Fi, a comprehensive real-time network protection strategy is required to enable pervasive, widespread deployment.

WLAN security threats inhibit build-out

Because WLANs use publicly available radio spectrum as the medium to carry data, unauthorized access and eavesdropping are key concerns. Major security threats to WLANs include the following:

WLAN access points can be probed by anyone within reach of the network's radio signal, thus constituting physically unbounded entry points from which to launch intrusions, viruses and all other types of attacks that threaten landline networks.

  • WLAN access points are often deployed inside corporate networks behind conventional firewalls, making these access points even more attractive as points for launching attacks.
  • WLANs are extremely vulnerable to denial-of-service attack and interruption. Any malicious hacker with a laptop and a wireless Network Interface Card can transmit wireless signal interrupters in close proximity to company sites where WLANs are deployed and effectively jam a Wi-Fi signal.
  • Internal employees can set up their WLAN interface cards to operate in peer-to-peer (P2P) mode to communicate directly with people outside of the company.

Naturally, the framers of the 802.11b wireless standards were aware of these vulnerabilities and designed a number of security features into the technology to address them. These include the following:

The use of Service Set Identifier (SSID): The SSID is a shared secret (typically an ASCII string) that has to be configured by network administrators into all access points and wireless terminals (e.g., PCs) that share a common WLAN. The weakness of the SSID is that it's a relatively simple password, common to all devices on the WLAN, and once the SSID is compromised, any device with the SSID can gain unrestricted access. Furthermore, the default setting of SSID is often not changed in WLAN deployments, and access points are typically configured to broadcast their SSID, further degrading security because intruders can get the SSID through easily obtainable tools.

Media Access Control (MAC) address filtering: Since every WLAN terminal's network card has a unique MAC address, it's possible to manually maintain a set of allowed MAC address lists for physical address filtering. Using a MAC address list, the systems administrator needs to update the list constantly to accommodate changes, including when users get new or replacement WLAN interface cards. In addition, MAC address filtering merely verifies the identity of the WLAN interface card and not the identity of the PC into which it's inserted or the person using the PC. Finally, MAC authentication complicates support for roaming between different access points, and since MAC addresses can be spoofed, it isn't regarded as a strong authentication method.

Wired Equivalent Privacy (WEP): Using WEP, communications between mobile terminals and access points are scrambled using a symmetrical encryption technique called RC4 on the data link layer. This prevents eavesdropping and prevents unauthorized access by users that haven't been configured with the necessary encryption key. WEP offers both 40-bit and 128-bit encryption strengths; however, WEP suffers from a number of drawbacks. For example, as with the SSID, all users within a service area have the same encryption key; if one user's encryption key is compromised the entire network is jeopardized. Moreover, unless the highest strength (128-bit) is used, WEP can be decrypted within a few hours, and many of the initial WLAN access points and interface cards shipping don't support 128-bit encryption.

In addition to these Wi-Fi-specific security mechanisms, other techniques can be applied to WLANs to make them robust against attacks. One approach for enhancing the network-level security in wireless LANs is to use IPSec virtual private network (VPN) technology in conjunction with WiFi security methods. VPN technology provides for data privacy via strong encryption to prevent eavesdropping and also provides for authentication of wireless terminals and their users using a variety of means ranging from simple user names and passwords in Remote Authentication Dial-In User Server directories to more sophisticated directory systems using digital certificates and public key infrastructure.

Another important area of concern for wireless LANs is protection against content-based attacks. Wireless LAN users who are browsing the Internet can be exposed to viruses and worms in Web (HTTP) downloads and applications that aren't scanned by conventional-firewall, e-mail-based antivirus software. To prevent these attacks, real-time antivirus scanning at the network gateway should be applied at all WLAN access points to prevent infection and rapid spread of content-based attacks. 

Security strategy for comprehensive WLAN protection

The analysis above has described the key security hazards inherent in WLANs, along with a number of means for addressing these vulnerabilities. Currently, there is no single blanket solution that addresses all problems. As with wireline networks, effective security requires the implementation of a multilayered "defense-in-depth" strategy that includes techniques to address each of the vulnerabilities, consistent with the budget and administrative resources available to each organization. A Wi-Fi top 10 security checklist summarizing these techniques is provided below:

Apply port access-control technology 802.1x to protect WLANs from unauthorized access.

  • Use 128-bit WEP encryption; change the default WEP encryption key that comes with the access point provided by the vendor.
  • Use gateway-protected IPSec VPNs for highly confidential WLAN communications.
  • Change the default vendor-set SSID for access points and for WLAN terminals; use MAC address binding at least for those terminals that don't need to roam across multiple access points.
  • Do not enable access points to broadcast their SSIDs.
  • Change the default access-point administration password.
  • Forbid employees from installing access points themselves. This can be accomplished by periodic scanning of access points through a notebook with a WLAN network card and WLAN scanning software.
  • Choose WLAN network cards that support password-protection of attribute changes to prevent the settings of the network cards from being illegally or accidentally changed by users.
  • Develop WLAN management policies; internal employees should not be allowed to leak WLAN configuration information to outsiders or to construct an ad hoc network topology with a P2P configuration.
  • Deploy real-time, content-level security measures (such as antivirus firewalls) in conjunction with each WLAN access point to eliminate harmful viruses and worms before they enter or exit the WLAN.