Wireless Security Myths 2010
Wireless has become a part of our official and personal lives. Securing against wireless threats has been and will continue to be an important piece in the overall enterprise security puzzle. However, as if following Darwin's theory of evolution, wireless security myths too are born, evolve and then die to be replaced by new ones.
An improved awareness of wireless security issues seems to have given network security professionals enough information to dispel certain wireless security myths (e.g., hiding your SSID in beacons will improve security; open APs with MAC filters can provide good security; use of static network IP addresses can impede an attacker; and WEP can provide good-enough security).
The fact that more and more users are moving towards WPA2 deployments confirms this. The recent PCI DSS wireless guideline (perhaps spurred by the infamous and high-profile TJX security breach) is certainly driving some of these developments. However, on the flip side, the wireless security community still lacks a clear consensus on how to handle threats caused by unmanaged devices.
This has led to an evolved set of wireless security myths that are probably harder to debunk. Let's take a brief look at them and discuss how enterprises can avoid some of these common pitfalls.
Myth 1: My enterprise is secure if we do not have a Wi-Fi deployment. Many people still think that they are secure if they have a "no Wi-Fi" policy. If only wireless security were that simple. In the real world where it is not possible to trust everyone, it would be naïve to assume the policy will never be violated. A disgruntled employee can implant a rogue access point, and even well-meaning employees can deploy APs that will inadvertently expose your network to rogue activity. Similarly, Wi-Fi client cards that come embedded in most of the notebooks today can be a potential source of threat -- they can be exploited by attackers. Further, other wireless technologies embedded in notebooks such as Bluetooth can create security vulnerabilities.
Reality: Assuming that a "no Wi-Fi" policy will secure your network is akin to an "Ostrich solution".
Myth 2: I use WPA2 in my network and I am secure. If you have rolled out your enterprise Wi-Fi deployment with WPA2, it is definitely a good start. WPA2 provides a strong cryptographic security for your WLAN APs and clients. However, in a large deployment, it is important to ensure that none of the devices are accidentally mis-configured, thus potentially exposing gaping security holes. Wi-Fi is increasingly used to carry mission-critical applications, so hackers and criminals will continue to focus on breaking Wi-Fi security. Researchers have recently demonstrated that WPA-TKIP can be compromised to achieve packet-injection attacks. Similarly, a Cisco WLAN controller-based vulnerability that can be exploited to "skyjack" Cisco LAPs has been reported.
Reality: A WPA2-based WLAN deployment cannot protect you from all types of wireless security threats.
Myth 3: I have enabled 802.1X port control and I am secure. IEEE 802.1X port-based access control provides an authentication mechanism for devices wishing to communicate via a port (e.g., a LAN port). It allows further communication only if the authentication succeeds. If it fails, it disallows further communication via the port. The goal of the designers of 802.1X was not to protect a network from wireless security threats. As we can expect, 802.1X is completely ineffective against Wi-Fi client-based threats. Even though 802.1X-based port control can act as a deterrent to rogue APs, it can be easily bypassed via a "hidden rogue AP" -- for example, by an employee with the knowledge of 802.1X credentials. First, he needs to connect a Layer-2 bridge AP in "silent" mode by configuring it with a static IP (so that it never has to reveal identify over the wire). Then, he can masquerade the identity (i.e. MAC address) of a Wi-Fi client to that of his Ethernet card to deceive 802.1X control.
Reality: The basic problem here is that 802.1X is a one-time (i.e., entry level) control, but, what you actually need is continuous monitoring and control.
Myth 4: My network access control (NAC) solution will protect me from Wi-Fi based threats. NAC aims to control access to a network with policies. It includes pre-admission endpoint security policy checks (to determine who can access the network) and post-admission controls (to determine what they can access). Since NAC solutions include some host-based checks (i.e., operating system, services running on host), it can protect against the class of rogue APs that function as a router or a network address translator. NAC also fails against the "silent rogue AP" threat.
Reality: Similar to 802.1X, NAC is also an entry level control and the arguments made against 802.1X hold true against NACs as well.
Myth 5: 802.11w eliminates Wi-Fi denizl-of-service (DoS) mattacks. By its very nature, Wi-Fi is susceptible to DoS attacks. The unlicensed radio frequency spectrum coupled with a "keep-it-simple" MAC protocol have lead to the development of several DoS attacks on Wi-Fi (e.g., RF jamming, deauthentication/disassociation flood, virtual jamming). IEEE recently ratified the 802.11w standard, which adds cryptographic protection to a certain subset of 802.11 Management frames (e.g., deauthentication frames, disassociation frames). This definitely mitigates the attacks based on such protected frames.
Reality: Attacks based on frames that are outside of the purview of 802.11w protection (e.g., virtual jamming) and RF spectrum based attacks are still possible.
Myth 6: Part-time security. WLAN infrastructure may support a mode wherein an AP can be programmed at times to act as a wireless intrusion-detection sensor. However, if you need a higher level of protection, for example to comply with industry or government regulations, you really need wireless intrusion-prevention (and not just detection), as switching an AP from access to protection provides, at best, part-time protection. A device acting as an AP cannot spend significant cycles on security. If it does, it will affect its performance as data/voice carrying device. Therefore when this mode is employed, such devices end up spending less time on scanning and threat mitigation. This introduces delays in threat detection and can affect blocking/prevention severely.
Reality: Part-time sensors fail miserably in reliably blocking threats (as such sensors cannot perform a sustained and frequent transmission of containment packets).
It is clear that threats occurring from unmanaged wireless security devices need focused attention. The first step in addressing this issue is to define wireless security policies for your enterprise -- define what authorized communication is and what is not.
The next step is to evaluate the security risk specific to your enterprise and invest in specialized tools such as a wireless intrusion detection/prevention system. Last, but not least, wireless security is also a people problem and user education goes a long way in mitigating the security risks.
AirTight Networks specializes in wireless security and performance management. It provides customers cutting-edge wireless intrusion detection and prevention (WIPS) solutions to automatically detect, classify, block and locate current and emerging wireless threats.
Read more about anti-malware in Network World's Anti-Malware section.