Air safety: wireless networking security

Enterasys Networks' RoamAbout R2 certified wireless access point decodes wireless and wired traffic and workings with 802.11a, b and g systems. It's priced at $799 including a mezzanine adapter. You also can get optional extras and a case.

Vernier Network's Access Manager provides access control and packet inspection with all 802.11 standards. It's $3,790, or $5,440 for a version with power over Ethernet support.

With new hardware and software tools, vendors aim to meet security needs in the risky business of wireless communications

Wireless is perhaps the most rapidly growing networking technology, and certainly the most widely hyped. But its rapid growth has brought some serious security concerns'sometimes, ubiquitous and easy access to data networks isn't exactly a good thing.

With even McDonald's now offering WiFi service in some of its restaurants, and many new notebook PCs offering wireless LAN cards as a built-in feature'courtesy of Intel Corp.'s Centrino campaign'there's no questioning the potential that wireless networking offers. But there's plenty of reason to be cautious about jumping into the water'or, in this case, the air.

While the IEEE 802.11b standard for wireless LANs, branded by the networking industry as WiFi, continues to grow, security problems related to it are legion. The initial security protocol used by WiFi, known as Wired Equivalent Privacy, relied on a simple 'shared secret' approach to block access to unauthorized users.

Unfortunately, WEP uses a flawed encryption system that has proved to be easily overcome by a determined infiltrator. For a detailed examination of this problem, look at the analysis from the University of California-Berkeley's Internet Security, Applications, Authentication and Cryptography research group at www.isaac.cs.berkeley.edu/isaac/wep-faq.html.

As if that weren't problem enough, even WEP's paper-thin level of security is not implemented in many cases. In their rush to provide wireless networking access, administrators and, in many cases, individual employees, often hook up wireless access points without even changing their default settings or enabling WEP security.

Poor security in wireless networks has begotten whole new hacker sports, called warwalking, wardriving and warchalking. Their names are derived from the old hacker practice of wardialing, or using an automated dialing program to go through whole banks of phone numbers to detect a modem that answers and allows unsecured access to a network.
[IMGCAP(2)]
But in this case, warwalkers and wardrivers simply wander around an area looking for an unsecured wireless network that they can connect to and either map it for future reference, use its bandwidth to check e-mail and Web surf, or perform some electronic snooping.

Warchalking is the practice of leaving symbols, much like those used by hobos during the Great Depression, telling wireless wanderers where and how they can grab hold of some free bandwidth.

While these are not widespread practices in the United States, they are an indication that a growing number of people are ready and willing to make use of wireless for their own gain at your expense. At best, they'll consume your network bandwidth; at worst, they'll prowl around your network in search of other internal vulnerabilities.

You might not have been trespassed upon yet over wireless, but there's the potential for unwanted attention from the Office of Management and Budget and elsewhere if you don't have your wireless flank secured.

The Federal Information Security Management Act of 2002 raised all information security issues to a new level of scrutiny across the federal government. And it's always better to find and dispose of unmanaged or misconfigured wireless access points yourself than to have an inspector general's team find them for you during an audit.

While many newer wireless products have fixed the WEP problem by substituting another encryption technology'such as Advanced Encryption Standard (AES) or Triple-Data Encryption Standard'managing wireless security is still a challenging task.

New tools

It demands a whole new set of tools, including wireless-network sniffers that can seek out misconfigured or unauthorized wireless-access points, and software and hardware tools for providing better integration of user authentication with wireless systems employed by hard-wired users.

Tracking down rogue access points calls for a new type of network sniffer. There are two approaches to hunting down wireless security holes'the portable security system'essentially a warwalker tool used to sweep facilities for wireless traffic'and systems based on portable or desktop computers.

The starting point for wireless security is a set of open-source and shareware tools for 'sniffing' wireless networks. Kismet, a Linux software package, and NetStumbler for Microsoft Windows are just two of the tools available that can be loaded onto your WiFi-equipped notebook; they're the favorite tools of the wardriving and warwalking crowd.

AirMagnet's AirMagnet Handheld is based on the Microsoft PocketPC operating system, and supports the use of a GPS receiver, so it can record geographic data about the location of access points to check against the inventory of authorized wireless-LAN hubs.

It detects misconfigured WiFi hubs, as well as unauthorized access attempts and wireless denial-of-service attacks. You can pick up on the interloper outside the office walls'or the misconfigured notebook inside them'trying to jam your network.

WildPackets' AiroPeek takes a different approach. It uses distributed radio-frequency sensors to track WiFi traffic, which is collected by a central PC. This lets the system administrator track multiple locations at the same time from one location, rather than wandering around looking for trouble spots.

In the wired world of networking, there are established federal standards that help keep government networks secure. Among these is the National Institute of Standards and Technology's Federal Information Processing Standard publication 140-2, 'Security Requirements for Cryptographic Modules.'

That same set of standards is now being applied to wireless networking systems; the Defense Department mandates FIPS-140-2 compliance for all of its wireless networks.

Over the past year, a number of vendors have certified their wireless-network access points and wireless cards as FIPS-140-2 Level 2 compliant.

Previously, the only certified FIPS-140-2 wireless-network devices were at Level 1, the least secure, and recommended only 'for some low-level security applications when other controls, such as physical security, network security, and administrative procedures are limited or nonexistent,' as the FIPS document reads.

But Level 2 certification, the next step up, is really the ground floor for most federal applications. The FIPS standard for Level 2 requires, 'at a minimum, role-based authentication in which a cryptographic module authenticates the authorization of an operator to assume a specific role and perform a corresponding set of services,' according to the FIPS publication.

That means integration with an authentication system like RADIUS or Kerberos, or with a public-key infrastructure such as that being implemented by DOD.

Evidence of tampering

The Level 2 rating also requires that the equipment have 'tamper-evident' coatings or seals, which would make it obvious that someone had broken into the hardware in an attempt to gain unauthorized access to its cryptographic keys. And it specifies that the software or firmware for the module run on a trusted operating system.

IBM Corp. had its IBM Everyplace Wireless Gateway for Multiplatform certified at Level 2 in May. The Everyplace gateway works with Wireless Access Protocol as well as General Packet Radio Service and other wireless networks.

Since then, other vendors, including ReefEdge Inc., have certified their systems for FIPS-140-2 Level 2. ReefEdge's Connect System is installed in a trial at the National Defense University in Washington.

ReefEdge's system is unique in that it uses a secure embedded version of Linux on its hardware. It provides for integration with DOD's smart-card-based PKI system for authentication, and uses triple-DES to encrypt network traffic.

'We've worked with DOD and integrated their identity management [the Common Access Card] into Connect System'both at the host and the client,' said Sylvio Jelovcich, ReefEdge's director of marketing. Because of the integration with DOD's PKI through the Common Access Card, ReefEdge's Connect System also can support subnet roaming'moving from one access point to another, across different subnets within Defense's network during the same network session, without the user having to re-authenticate.

Many new wireless systems support enhanced encryption, such as AES, as well as authentication systems. So, the number of systems certified as FIPS-140-2 compliant is bound to grow over the next year'especially as NIST standards for security under FISMA are solidified and compliance becomes a requirement for more federal networks.

Even if you don't have a requirement for FIPS-140-2 compliance yet, it's time to start pushing your network vendors to provide it.

Kevin Jonah, a Maryland network manager, writes about computer technology.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above