Wireless LAN Security

From Wikipedia, the free encyclopedia

One issue with wireless networks in general, and WLANs in particular, involves the need for security. Many early access points could not discern whether or not a particular user had authorization to access the network. Although this problem reflects issues that have long troubled many types of wired networks (it has been possible in the past for individuals to plug computers into randomly available Ethernet jacks and get access to a local network), this did not usually pose a significant problem, since many organizations had reasonably good physical security. However, the fact that radio signals bleed outside of buildings and across property lines makes physical security largely irrelevant to wardrivers.

Contents

[edit] Concerns

Anyone within the geographical network range of an open, unencrypted wireless network can sniff on all the traffic, gain unauthorized access to internal network resources as well as to the Internet, possibly sending spam or doing other illegal actions using the owner's IP address.

The lack of default security in wireless connections is quickly becoming an issue, especially in the UK, US and other places where many Broadband (ADSL) connections are offered together with a Wireless Basestation/ADSL Modem/firewall/Router access point. If router security is not activated, or if the owner deactivates it for convenience, it creates a free hotspot. Further, many laptop PCs now have Wireless Networking built in (cf. Intel 'Centrino' technology) thus eliminating the need for an additional plug-in (PCMCIA) card. These features might be enabled by default, without the owner ever realizing it, thus broadcasting the laptop's accessibility to any computer nearby.

Modern operating systems such as Linux, Mac OS, or Microsoft Windows XP as the 'standard' in home PCs make it very easy to set up a PC as a Wireless LAN 'basestation' and using Internet Connection Sharing, thus allowing all the PCs in the home to access the Internet via the 'base' PC. However, lack of knowledge about the security issues in setting up such systems often means that someone nearby, such as a next-door neighbor, may also use the internet connection. This is typically done without the wireless network owner's knowledge; it may even be without the knowledge of the intruding user if his computer automatically selects a nearby unauthorized wireless network to use as an access point.

[edit] Security options

There are three principal ways to secure a wireless network.

  • For closed networks (like home users and organizations) the by far most common way is to configure access restrictions in the access points. Those restrictions may include encryption and checks on MAC address.
  • For commercial providers, hotspots and large organizations, the preferred solution is often to have an open, unencrypted but completely isolated wireless network. The users will at first have no access to the internet nor to any local network resources. Commercial providers usually forward all web traffic to a captive portal which provides for payment and/or authorization. Another solution is to require the users to connect securely to a privileged network using VPN.
  • Wireless networks are little more secure than wired ones; in many offices intruders can easily visit and hook up their own computer to the wired network without problems, gaining access to the network, and it's also often possible for remote intruders to gain access to the network through backdoors like Back Orifice. One general solution may be end-to-end encryption, with independent authentication on all resources that shouldn't be available to the public.

[edit] Access Control at the Access Point level

One of the simplest techniques is to only allow access from known, approved MAC addresses. However, this approach gives no security against sniffing, and client devices can easily spoof MAC addresses, leading to the need for more advanced security measures.

Another very simple technique is to have a secret ESSID (id/name of the wireless network), though anyone who studies the method will be able to sniff the ESSID.

Today all (or almost all) access points incorporate Wired Equivalent Privacy (WEP) encryption, but security analysts have criticized WEP's inadequacies, and the U.S. FBI has demonstrated the ability to break WEP protection in only 3 minutes using tools available to the general public (see aircrack).

The Wi-Fi Protected Access (WPA and WPA2) security protocols were later created to address these problems. If a weak password, such as a dictionary word or short character string is used, WPA and WPA2 can be cracked. Using a long enough random password (e.g. 14 random letters) or passphrase (e.g. 5 randomly chosen words) makes pre-shared key WPA virtually uncrackable. The second generation of the WPA security protocol (WPA2) is based on the final IEEE 802.11i amendment to the 802.11 standard and is eligible for FIPS 140-2 compliance. With all those encryption schemes, any client in the network that knows the keys can read all the traffic.

[edit] Restricted access networks

Solutions include a newer system for authentication, IEEE 802.1x, that promises to enhance security on both wired and wireless networks. Wireless access points that incorporate technologies like these often also have routers built in, thus becoming wireless gateways.

[edit] End-to-End encryption

One can argue that neither encryption in the router level nor VPN is good enough for protecting valuable data like passwords and personal emails; those technologies add encryption only to parts of the communication path, still allowing people to spy on the traffic if they have gained access to the wired network somehow. The solution may be encryption and authorization in the software layer, using technologies like SSL, SSH, GnuPG, PGP and similar.

The disadvantage with this approach is that it can be difficult to cover all the traffic - with encryption on the router level, or VPN, it's just one switch to get all traffic encrypted (even UDP and DNS lookups), while with end-to-end encryption, one has to "turn on encryption" for each and every service one wants to use, and quite often also for each and every connection. For sending emails, all the recipients must support the encryption and keys have to be exchanged. For web, not all web sites offer https - and even if using end-to-end-encryption on everything, the IP-addresses you communicate with will go in clear text. Say, if you frequent the Playboy Magazine, your mother-in-law may find it out, even if https hides the contents.

Also, the most prized resource is often access to Internet; it's not trivial to enforce each user to authenticate himself for the router.

[edit] Open Access Points

Today, there is almost full wireless network coverage in many urban areas - the infrastructure for the wireless community network (which some people are considering to be the future of the internet) is already in place, and one could roam around and always be connected to Internet if all the nodes would be open to the public - but due to security concerns, most of the nodes are encrypted. Many people consider it to be proper etiquette to leave access points open to the public, allowing free access to Internet.

The density of access points can even be a problem - there are a limited number of channels available, and they partly overlap. In situations where there are a lot of private wireless networks near each other (for example, an apartment complex), the limited amount of data channels on the Wi-Fi range might cause overlapping problems.

According to the advocates of Open Access Points, it shouldn't involve any significant risks to open up wireless networks for the public:

  • The wireless network is after all confined to a small geographical area. When being connected to the Internet and having some security problems, anyone from anywhere in the world can exploit it, while only clients in a small geographical range can exploit an open wireless access point. Thus the exposure is quite low with an open wireless access point, and the risks with having an open wireless network are small. However, one should be aware that an open wireless router will give access to the local network, often including access to file shares and printers.
  • The only way to keep communication truly secure is to use end-to-end encryption. For example, when accessing an internet bank, one would almost always use strong encryption from the web browser and all the way to the bank - thus it shouldn't be risky to do banking over an unencrypted wireless network. The argument is that anyone can sniff the traffic applies to wired networks too, there are lots of system administrators and possible crackers that have access to the links and can read the traffic. Also, anyone knowing the keys for an encrypted wireless network can gain access to the data being transferred over the network.
  • If having services like file shares, access to printers etc on the local net, it is adviceable to have authentication (i.e. by password) for accessing it (one should never assume that the private network is not accessible from the outside). Correctly set up, it should be safe to give access to the local network to outsiders.
  • With the most popular encryption algorithms today, a sniffer will usually be able to compute the network key in a few minutes.
  • It is very common to pay a fixed monthly fee for the Internet connection, and not for the traffic - thus extra traffic will not hurt.
  • Internet connections are plentiful and cheap today. One will almost never risk to get the garden full of freeloaders when setting up an open Access Point.

[edit] External links

[edit] See also