May 2003


Insights into the latest wireless LAN security issues

The Top 10 Wireless LAN Policy Violations

If you'd like to learn more about wireless LAN policies, register for the Wireless LAN Policies webcast
with META Group Analyst Chris Kozup
- June 3 at 2 p.m.

From rogue APs to ad hoc networks, wireless LAN policy violations can create a wide-open entry point to the enterprise network. While policies are the first step to securing wireless LANs, many enterprise WLAN policies quickly become just another ignored, dust-collecting document.

With a broad base of customers that includes more than 50 Blue Chip companies and large government agencies, AirDefense collected data to compile the 10 most common wireless LAN policy violations.

1. Unsanctioned or Rogue Access Points - Unauthorized access points represent one of the biggest threats to IT security today. While rogue access points have made headlines in recent months, a research brief from META Group highlighted the risks and need for enforcing a no-rogue policy:
Rogue access points are rarely installed with even basic security enabled (e.g., Wired Equivalent Privacy). Furthermore, even if WEP is enabled, those with malicious intent may still gain access to the corporate network using tools such as AirSnort and NetStumbler.

Regardless of the choice to deploy or ban wireless LANs, enterprises must develop procedures to detect and decommission access points while reproaching those responsible for breaking policy. Many META Group clients have discovered substantial numbers of rogue access points, and some clients are so serious about stopping this occurrence that the offence is punishable by termination.

- Chris Kozup, META Group

2. Unsanctioned Wireless Laptops - Like it or not, unsanctioned wireless devices are making their way into enterprises from users who are quick to adopt the increasingly ubiquitous technology. With a $300 million marketing initiative, Intel's new Centrino wireless chip progressing to a point where all new laptops will be WLAN ready and will require security.

Even without a WLAN infrastructure of access points, unsanctioned WLAN-enabled laptops introduce new headaches for IT security and network managers. The unauthorized WLAN stations must be configured properly to secure the user from connecting to unknown WLANs and malicious WLAN stations, which can potentially access all local files. While connected to the enterprise wired network, an attacked WLAN-enabled station can be an onramp to the greater network. Enterprises that previously banned wireless LANs for
security reasons are now being forced to reevaluate that policy after executives begin using new WLAN-ready tablet computers.

3. Ad Hoc Networks - Similar to rogue access points, ad hoc wireless networks represent another major concern for wireless LAN security because they can put a network at risk without security managers ever seeing the vulnerability. Wireless LAN cards enable peer-to-peer networking between laptops without an access point. These ad hoc networks can allow an authorized user to transfer private corporate documents and intellectual property to unauthorized users without going over the corporate network. While wireless LAN cards operate in ad hoc mode, the user must be able to trust all stations within range because ad hoc networks offer little authentication management and security. Malicious stations can connect directly to authorized users and thus gain access to the enterprise network.

4. Access Points Advertising Slow & Unsafe Data Rates
- If properly deployed, enterprise 802.11b wireless LANs should serve its user stations with a connection rate of 5.5 Mbps or 11 Mbps. The access points then are configured to only allow for these desired data rates. However, an access point that allows users to connect at the slower 1 Mbps and 2 Mbps speeds indicates degraded network performance or potential suspicious activity. A 1 Mbps connection on a properly deployed network indicates potential suspicious activity from someone in the parking lot or down the street with an antenna.

5. Access Points Configured for Both VPN & Open Authentication - While security-conscious enterprises secure their wireless LANs by authenticating all users through a VPN gateway, many enterprises inadvertently configure access points to allow for both open authentication and the VPN. While authorized users are authenticated through the VPN, the open authentication allows any wireless station to connect with the network by going around the VPN's steel door.

6. Accidental Associations with Neighboring Access Points - Because RF signals of a wireless LAN cannot be contained in most office environments, many enterprises experience accidental connections between their wireless users and neighboring wireless LANs. A station connecting to a neighboring wireless LAN can divulge passwords or sensitive documents to anyone on the neighboring network. Accidental associations can even link the two companies' networks together through this end user station as it bypasses all internal security and controls.

7. Nonstandard WLAN Access Cards - Enterprise wireless LAN deployments are typically based on WLAN hardware from approved vendors that support network security and management configurations. Similar to unsanctioned stations and access points, employees bring in consumer-grade wireless cards that are not up to enterprise standards.

8. Default SSIDs or Too Much Detail in SSID - Service Set Identifiers act as the public names of a wireless LAN, so enterprises should be careful not to advertise too much information in its networks' SSIDs. (SSIDs are openly broadcasted as part of normal WLAN traffic, so any wireless hobbyist can easily identify these network names.) Upon deployment, all access points should be configured for security, which includes proper naming of the network through SSIDs. Hackers are often attracted to access points with default SSIDs, such as "tsunami" from Cisco and "101" from Symbol. If the SSID has not been changed, it's not likely other security measures have been enacted on the access point or WLAN segment. The default network names often advertise that the wireless LAN is not properly secured.Similarly, SSIDs that contain specific information about the WLAN deployment should also be avoided. Using department names, such as "human resources," "accounting" or "engineering" can also attract hackers to the WLAN in search of personnel files, financial information or intellectual property.

9. Insecure Windows XP Settings - Wireless LAN policies should apply to every wireless station and device, and Windows XP compounds the issue with several default settings that risk security vulnerabilities.While the Wi-Fi friendly features of Windows XP are great for usability and the growth of WLANs, they can also create policy headaches by forcing IT managers to maintain secure configurations of XP on all clients.
In default modes of Windows XP, a wireless-enabled laptop automatically searches for an access point with which to connect. Some of the insecure settings include:
" Automatically connecting to all unapproved wireless network connections;
" Sending out beacons in search of all access points the stations has previously connected with; and
" Dual-mode of operation to allow for both infrastructure (access points) and ad hoc (peer-to-peer) networking.

10.Off-Hours Traffic
- With wireless LANs operating on the uncontrolled wireless medium and RF signals extending beyond the walls a building, many enterprises limit WLAN usage to set office hours. Concerned about late-night hackers in the parking lot, some enterprises even take steps to turn off the access points during non-office hours whereby all wireless LAN activity during off-hours can be identified as suspicious.

Click here to register for the Wireless LAN Policies webcast
with META Group Analyst Chris Kozup.

 Knowledge Center
 AirDefense is your source for the latest information about WLAN security

Forward this to a friend >>

Did you receive this newsletter in error? Our goal is to educate IT professionals about WLAN security. If you would like to be removed from future mailings, please click here to unsubscribe or modify your email profile. We respect your right to privacy; click here to view our policy.

   Not a subscriber?  Click here to subscribe!