This subject of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts:
- Even back in 2013, 98 percent of U.S. small businesses used wireless technologies in their operations according to an AT&T poll.
- The Internet of Things (IoT) is rapidly expanding, and it is based firmly on wireless. For example, many home and office security systems are wireless.
- Mobile phones are becoming the main avenue to the Internet for an increasing number of people all over the world.
So it makes sense that wireless security should be a big concern.
Wireless technologies are more vulnerable than wired technologies
Keep in mind that many businesses have wired and wireless networks. Wireless devices are vulnerable to any attacks that may be made on wired devices. But there are many more threats to wireless networks. This is because wireless transmits data over the air. The air cannot be secured. So wireless technologies must incorporate more safeguards against eavesdropping and man-in-the middle attacks than wired technologies.
For example, man-in-the middle attacks in a wireless environment are child’s play. An attacker connects to the Internet and configures a laptop to look like a legitimate wireless access point (AP). Victims wanting Internet access unwittingly connect through the bogus AP. Furthermore, the attacker can launch a de-authentication attack, causing devices already connected to a legitimate AP to drop their connection and to automatically reconnect to the attacker’s AP. The attacker now has unlimited access to data transmitted by any attached user since wireless operates at Layer 2. Layer 3 protections such as encryption, network authentication, and virtual private networks (VPNs) cannot protect against this scenario.
Two wireless devices can communicate without involving the access point. This is clearly not a possibility in the wired world. So not only must there be protection against external threats, but also against other devices attached to the AP.
Denial of Service attacks are a danger to any network, but especially with the restricted bandwidth of wireless networks.
Wireless Security measures that don’t work
Some sources recommend wireless security measures that are not effective for business. Here are three examples:
- Most wireless configurations provide MAC filtering. Here, an administrator enters a list of the MAC addresses (Layer 2 addresses) of authorized devices. A device with a MAC address that is not on the list is blocked. But any attacker with sniffing software can easily find authorized MAC addresses since MAC addresses in Layer 2 headers are not encrypted. The attacker simply changes his own MAC address, via widely-available software, to an authorized address, and he’s “in”.
- In setting up a wireless network connection, there is normally an option to hide the SSID (Service Set Identifier). This keeps the connection from appearing on a list, but does not prevent anyone from using the connection.
- Static IP addressing stops attackers from being assigned DHCP addresses. It does not block a knowledgeable attacker.
Recommended strategies to implement a wireless network
There are different approaches depending on the size of the organization and the level of in-house IT expertise:
- Create a completely isolated wireless network: Users must authenticate and have acceptable security software before they can connect to the Internet or, for that matter, to any local network resources. This approach requires a Network Access Server.
- Forward all web traffic to a proxy server which provides authentication and authorization.
- Require users to access resources through a virtual private network (VPN). VPNs provide encryption from the user’s location to the destination router (remote-access VPNs) or from the user’s router to the destination router (site-to-site VPNs). There are numerous implementations of VPNs including PPTP, L2TP, IPsec, and SSH.
Using end-to-end encryption would be ideal. However, not all intervening software and hardware may support encryption. For example, not all web sites offer https, and even if they do, the browser sends out IP addresses in clear text. The next best alternative is to require users to connect to the company network through VPNs .
Of course, authentication is critical. IEEE 802.11i Wi-Fi Protected Access II (WPA2) should be used. For authentication, there are alternatives:
- Pre-shared key (PSK) – This is normally used only in a home environment and provides Advanced Encryption Standard (AES) encryption.
- EAPOL (Extensible Authentication Protocol over LANs) with 802.1X and an authentication server such as RADIUS or DIAMETER: There are open-source RADIUS servers that could easily accommodate the needs of most businesses.
- EAPOL with EAP-TLS: The majority of implementations require client-side X.509 certificates.
A hardware or software card or token can be used in combination with the above authentication techniques, depending on the vendor.