Don’t broadcast your company confidentials to the world.
In August last year, Computerworld took to the streets of Auckland together with two network engineers to check out if wireless security really was as lax as everyone said. Using simple, off-the-shelf technology (two 802.11b cards plus an iPAQ PDA and an Asus portable PC), we were “invited” on to many corporate networks.
Not only were we able to see the networks and thus sniff the data (had we wanted to), some even handed out DHCP leases complete with IP address, DNS, gateway and SMTP server. It doesn’t require much imagination to see how that could be abused.
A surprising number of networks didn’t even use Wired Equivalent Privacy (WEP), which encrypts the payload of 802.11 frames between stations. Unfortunately, WEP has been compromised: sniffing a couple of hours’ worth of traffic (the actual time depends on how busy the network is) and running the data through readily available tools allows anyone to decrypt 802.11 frames. Managing WEP keys between stations is also awkward as it has to be done manually, and many administrators do not change these often enough.
However, WEP is enough to deter casual “war drivers”, and should still be considered your first line of defence together with access control lists based on Media Access Control (MAC) entries.
Less obvious security measures include isolating the 802.11 network on its own segment, without automatic access to the rest of the corporate LAN. Remember that lots of portables and PDAs go missing all the time, and if they’re wireless you could have a cracker on your network without knowing it. If you’re setting up a point-to-point 802.11 network, use a directional aerial and experiment with the gain required: some of the networks we saw were in buildings close to a kilometre away, indicating that the administrators had really turned it up.
Next, consider implementing a more robust method of user authentication and access control, such as 802.1X. With 802.1X enabled, clients must authenticate themselves to access points (using the Extensible Authentication Protocol, EAP). Nothing else but EAP traffic is allowed until the access point receives a go-ahead for the client from an authentication server such as RADIUS (Remote Authentication Dial-In User Service). Couple 802.1X with payload encryption and your wireless network will be as secure as it can be.