Wireless (Wi-Fi) Communication Systems
Wireless networks are becoming increasingly prevalent in many enterprise networks, they enable flexible working environments including the concept of hot desks and give roaming access to the corporate network from around the premises. Advances in the use of portable computing equipment in the form of laptops, PDA’s and other multifunction mobile technology such as the iPhone make wireless connectivity a desirable feature in todays corporate environment.
Most enterprises face challenges when considering the introduction of wireless networks and the security issues that will be faced. The trend toward wireless networks has grown as organisations see the benefits to employees of providing them with roaming wireless access to the corporate infrastructure. Deploying a secure wireless network throughout an organisation is the fundamental key to protecting the network assets from attack by inside users and hostile external attacks.
The subject of wireless security is a complex issue with many variables contributing to the overall security of the environment. Some of the areas which can be considered as having a potential impact on the security of the wireless deployment include: RF propagation, access points, wireless clients, authentication and encryption, operating mode and any guest access.
Wireless Transport Mechanics
Presently the most widely used wireless network devices conform to the 802.11 a/b/g standards, these define the wireless implementation’s frequency and modulation, the following table briefly shows the differences between these wireless standards:
Implementation Frequency Modulation Data Rate
- 802.11g 2.4GHz OFDM 54Mbit/s
- 802.11b 2.4GHz DSSS 11Mbit/s
- 802.11a 5GHz OFDM 54Mbit/s
There are many 802.11 specifications which relate to areas such as encryption, authentication and other wireless variables to which standard wireless deployments should conform, to be interoperable between different wireless system vendors.
Enterprise wireless security deployments typically adopt the 802.11i standards for authentication using WPA(2) Enterprise and WPA(2) Pre-Shared Key. WPA(2) Enterprise uses 802.1x which specifies the extensible authentication protocol (EAP) to send authentication messages from a wireless client (supplicant) to a RADIUS server (authentication server) to authorise a wireless client to join the network. WPA(2) Pre-Shared Key (PSK) relies on a key distributed to all wireless clients, the possession of which authorises them to join the network.
An important issue to consider for any currently deployed wireless encryption systems is that the Wired Equivalent Privacy (WEP) encryption system is considered an insecure system which can be easily broken during a wireless security assessment (depending on configuration).
The encryption used in an enterprise wireless network would typically be based on WPA(2) using the ‘Temporal Key Integrity Protocol’ (TKIP) for WPA or the ‘Counter Mode with CBC-MAC Protocol’ (CCMP) an AES based encryption for WPA2. Currently WPA(2) does not have any known cryptographic weakness, the main avenue for attack on WPA implementations using Pre-Shared Keys (PSK) is brute-forcing the handshake to find if the PSK is a dictionary word.
Wireless Security Testing
The aim of a wireless security test is to check and offer a risk analysis of the wireless exposure of the network. This will need the tester to assess, validate and provide any recommendations to strengthen the wireless deployment. An important element of a wireless test is to compare the organisations wireless network architecture and configuration against security best practice to find any vulnerabilities and threats to the wireless network that could pose security risks to the organisation.
In order to find the wireless security stance of the organisation there are several areas to be covered during security testing to address this need.
The methods used to do the wireless security test would involve two key areas, an unauthenticated and an authenticated wireless security test. The unauthenticated review will offer an analysis of the wireless deployment from the viewpoint of an external attacker without valid credentials or authorisation to join the wireless network. The authenticated review will take the perspective of an authorised client and find the exposure of the infrastructure to a wireless client with a valid connection to the wireless network.
Unauthenticated Wireless Testing
Some of the areas typically covered during an unauthenticated wireless security test may include:
Site Survey: Identify the number of available wireless networks within the perimeter of the premises including those that may not belong to the client but are radiating RF into the premises. Conversely find the clients wireless network perimeter and the availability of the wireless network outside the physical boundary of the client. For practical reasons this probably means identifying if the network can be seen from the street and or any adjacent offices if the client is in a shared building.
Access Point Identification: Locate the access points belonging to the client’s wireless network based on the network name(s) and find if those identified are as expected according to the wireless deployment architecture. Any extra wireless access points may indicate the placement of a ‘rogue’ access point connected to the wired infrastructure that may not adhere to the wireless security policy.
Traffic Sniffing: Determine the presence of any unencrypted wireless traffic where the source of the traffic is identified as belonging to the wireless network of the client, this would indicate the presence of incorrectly deployed access points whose configuration does to adhere to the encryption policy adopted in the wireless deployment.
Ad-Hoc Wireless Networks: The presence of Ad-Hoc wireless networks may show wireless clients incorrectly configured to start or join an Ad-Hoc network and not the infrastructure network used by the client. The existence of Ad-Hoc networks within a client should be investigated to find which wireless client(s) are forming the network and make sure that they are not connected to the wired infrastructure.
Wireless Client Connection: Monitoring the process of a legitimate wireless client joining the wireless network is useful to try to show the authentication and encryption mechanism in place. It provides an overview of the security mechanism in use by the deployed system and gives the opportunity to focus the effort of attempting to gain unauthenticated access to the clients network.
Device Spoofing: Following the identification of the legitimate infrastructure access points and authenticated wireless clients it may be useful to do device spoofing and cloning of these authorised devices while they are in use and connected to the clients wired/wireless infrastructure. This may offer a view of the resilience of the network against spoofing and cloned devices.
Wireless Management: Wireless networks use management frames to control actions between the access point and the wireless clients. These management frames are typically transmitted in the clear and can be intercepted and modified to find the effect this may have on the clients attached to the wireless network.
Wireless Client Configuration: The clients wireless clients may be used outside to connect to wireless hotspots to allow connection back to the corporate network. The configuration of the clients may offer the opportunity to configure an access point that resembles a hotspot and attempt to entice the wireless client to join the network, this may offer an avenue where the network configuration of the client can be probed if it accepts the offered wireless connection.
Authenticated Wireless Testing
Some of the areas covered during an authenticated wireless security test may include:
Stored Keys: If the wireless clients are configured to use PSK it may be possible to recover any stored keys from a client laptop and reuse the key during the assessment.
Traffic Sniffing: By sniffing traffic from within an authenticated wireless session it may be possible to find if other wireless clients can be identified and if any traffic not directly destined for the current client can be observed and captured. This other wireless network traffic could include broadcast or even traffic destined for another wireless client.
Client Connectivity: By using an authorised wireless client or the configuration of an authorised client it may be possible to decide the wireless clients ability to connect to other clients on either the wired or the wireless network and check the amount of interaction that can be achieved with these other network devices.
LAN Connectivity: An important aspect of the wireless network configuration is the placement and access possible from the wireless to the wired corporate network. It should be a requirement to find the scope of the wireless network within the organisations wired infrastructure to show any separation between the wireless and the wired portions of the network infrastructure.
Access Point Configuration: The configuration of access points within a wireless deployment would typically take place from either a central configuration and management console or on an individual basis depending on the wireless system involved. It would be a useful exercise to make a comparison of the expected configuration of the access points against a sample number of deployed access points to find any issues with configuration control of the devices.
Indimon Internet Services
Indimon Internet Services does not offer an on-site wireless security testing service but recommends that clients who have implemented a wireless network undertake a wireless security test.
The wireless security testing process should use a variety of hardware and software tools to assess the clients wireless infrastructure. A wireless security test should check the clients deployed wireless technology including the architecture and configuration, identify authorised and any unauthorised access points and conduct a penetration test against all components of the wireless network.
A wireless security test should give the client a clear understanding of any identified risks due to incorrect configuration or unauthorised access points and recommend any changes to the configuration that would improve the security posture of the clients wireless network.