How can you ensure your Wi-Fi environments are able to withstand attacks? Amit Rao explains.
It is increasingly important for facility managers to ensure that employees have Wi-Fi access that provides fast and secure ‘anytime and anywhere’ access to the network and critical applications. However, the number of threats against these networks has risen steadily, partly because it’s so easy to launch attacks against wireless networks, which means a stronger security stance is critical.
Network and security operations teams are fighting a multi-front Wi-Fi security battle. Challenges include employees plugging cheap, unauthorised/rogue access points (APs) into the network, hackers using attack tools they’ve downloaded from the internet and even radio frequency jammers that make the entire wireless spectrum unusable.
The wireless network contains three layers: the wireless local area network (WLAN), AP encryption and authentication, and building security. This is a significantly lower number of layers compared with traditional wired networks. Essentially, once a hacker breaks through the building security and AP layers, they’re into the WLAN. A lot of organisations don’t understand how critical it is to protect the Wi-Fi and most need to be far more vigilant in their approach.
There are misconceptions around the false security offered by the AP infrastructure to monitor itself. In fact, the AP itself often has no in-built security and can be a target for hackers.
WIRELESS ATTACK VECTORS
The latest wireless attacks and hacks can be grouped into four attack vectors: snooping, denial of service attacks, cracking and information theft.
1. Snooping. Mostly undetectable, snooping requires specialised (although inexpensive) equipment. Through snooping, hackers can fingerprint a wireless network, which means they are capturing mac addresses, BSIDs (base station identities), SSIDs (service set identifiers), the channels being used, clients active in the wireless network and the AP manufacturer. Gathering this information helps them to find ways to exploit the network. For example, hackers may know there are certain vulnerabilities specific to a particular AP manufacturer. It is very difficult to catch a hacker that is snooping. This is where the building security layer comes in. It is important to monitor what is going on outside of the building.
2. Denial of service attacks. This may include the use of jammers that transmit a high-powered signal on the same frequency the hacker is attacking. Software-defined radios, Wi-Fi jammers and cellular jammers can all be used for this. While they are illegal, they are mostly easily available.
3. Cracking. For example, WPA (wireless protected access) cracking involves the hacker capturing the network’s four-way handshake, and then taking it offline to crack it. There are a couple of ways to do this. First, by playing the waiting game: eventually someone will connect to the wireless network. Once the client connects to a WPA AP it performs a four-way handshake. Second, the hacker can send a few de-authentication frames to the client to kick it off and then let it re-associate to capture the handshake. Once hackers have the handshake, they will need tools and services to crack the key. While this could take forever, more equipment is becoming available that can handle this type of cracking.
4. Information theft. There are many types of information theft. They include:
Passive sniffing is when a client is connected to an unencrypted hotspot. The hacker can collect data and look at it offline.
Honey-potting, whereby the hacker creates an AP using the same SSID as clients are connecting to, then sniffing the traffic as they’re connecting.
Wireless MitM (Man in the Middle) is where the hacker poses as the AP that clients connect through, then just routes the traffic. Or the hacker may be the client on the hotspot AP. In this instance, the hacker may be connected to the hotspot and performing a DNS redirection attack, whereby the hacker responds to the client as a DNS server and can direct clients’ webpages to whatever webserver he wants.
Rogue or unauthorised APs may be plugged into the network. These may be intentional or unintentional. For example,
an employee having trouble getting into the network brings in an AP from home. This AP may not have the same level of security as the enterprise AP, creating a vulnerability.
The types of attacks on these vectors are numerous and growing. They include traditional ones such as the Karma attack, which was first introduced in 2006, to fuzzing, spoofed attacks, WPA cracking, Wi-Fi pineapples, creating a covert channel, or using software-defined radios.
THE NEED TO DEPLOY A WIRELESS NO-FLY ZONE
For some organisations it may be necessary to create no-wireless zones in sensitive areas. No-wireless zones can be created within certain areas, a whole building or outside the entire perimeter to prevent Wi-Fi drone attacks or stop wireless campers from accessing the network.
The number one thing is to define the boundaries. Second, businesses must define the policy for detection and continually refine it. This should include things like rogue AP detection, rogue station detection, Wi-Fi pineapples, honeypot detection and monitoring for non-802.11 sources.
Finally, businesses must define the response when a rogue device has been detected. This includes locating the unauthorised device. Most wireless intrusion prevention systems (WIPS) can find rogue devices on a floor plan or map. Then the business must decide who is going to retrieve it, taking into consideration the training and tools required, and keeping evidence for potential prosecution.
MITIGATION BEST PRACTICES
Organisations need to be on the leading edge of detecting the latest wireless threats to meet the security, performance and compliance demands of today’s mobile workforce.
To do this, organisations should look for always-on WLAN assurance that can detect their own devices, as well as unauthorised devices. Organisations should be able to detect when malicious traffic is invading the wireless network, whether they are being attacked or if a hacker is trying to lure clients to them.
Businesses should also consider wireless containment. If an unauthorised device is detected, then wireless containment can prevent anyone from connecting to it.
Businesses should also ensure that client drivers and software are constantly updated. Software companies will upload patches and security updates, and businesses should avail themselves of these.
Client verification is another important mitigation strategy. Making sure clients are connecting to the expected SSID is a simple way of detecting if something has gone wrong. It is important to trust but also verify.
To address all of these best practices, facility managers should look for a solution that provides 24/7, always-on WLAN assurance, an analysis engine for alarm signatures, dynamic threat updates, comprehensive WLAN reporting and spectrum analysis.
This article also appears in the December/January issue of Facility Management magazine.