Keeping Intruders Out Of Your WLAN

Encryption and authentication are essential for locking down WLANs but they don't provide total security. For that, you'll need an intrusion detection system.

March 30, 2005

5 Min Read
Network Computing logo

Wireless LANs utilize radio waves for transporting information, which results in security vulnerabilities that justifiably worry network managers. To assuage those worries, most companies implement authentication and encryption to harden security.

However, WLANs have a whole host of other vulnerabilities that can be more difficult to completely smother such as illicit monitoring, unauthorized access, and denial of service (DoS) attacks. For example, someone using a wireless sniffer, such as the freely-available NetStumbler, can easily monitor wireless traffic for fun or malicious intent while sitting in their car next to your office building.

Fortunately, intrusion detection systems (IDSs) can secure networks against these threats.

Attacks From Many Directions

Effective encryption, such as that offered by 802.11i, is essential, of course, because it will keep hackers from deciphering the content of data. And authentication systems make sure that the person logging on to the network is who he or she claims to be.However, a seasoned wireless hacker can still use monitoring and find valuable information regarding the network in order to possibly exploit security holes.

A potential, if unknowing, ally to that hacker could be an employee who installs an access point without setting any security controls. In my consulting work, I often find these types of rogue access points when performing security assessments for enterprises. The employee may not even think he or she is installing a rogue access point but, rather, is simply trying to gain access to data while away from their desk.

However, rogues leave the corporate network wide open to hackers wanting to gain unauthorized access and exploit weaknesses of attached systems. In addition, DoS attacks occur in several different ways. One is when the hacker continually broadcasts 802.11 clear-to-send (CTS) frames to themselves, which keeps other wireless clients from transmitting.

Another technique is when the hacker issues 802.11 disassociation frames to the access point for client devices that have legitimate associations. The result of these attacks is that an organization's WLAN becomes useless. A distribution center, for example, could lose the capability of employing wireless bar code scanners for performing receiving or shipping operations if a major DoS attack occurs.

To The Rescue: IDS

It's not easy to design a wireless network that counters all security risks, especially DoS attacks. But one key tool that can help is an IDS.An IDS monitors the network, automatically blocks unauthorized access and sends alarms to appropriate staff when attacks occur. This is analogous to hiring a security guard for protecting the surroundings of a building. These systems aren't cheap, typically costing from $10,000 to $20,000. But they significantly reduce wireless LAN security risks.

The following summarizes how an IDS significantly improves the security of a wireless LAN:

  • Illicit monitoring detection. Many of the war driving tools, such as NetStumbler, send a barrage of 802.11 probe request frames to prompt responses from access points. The access points reply with probe response frames, which contain details on service set identifier (SSID), channel settings and encryption types. This information is valuable to a hacker when planning an attack. An IDS continually monitors for these foreign probe requests and alerts staff when they are occurring. An IDS, however, can't detect passive monitoring tools, such as AirMagnet Surveyor, because they don't send probe requests.

  • Unauthorized access deterrence. A significant feature of IDSs is that they can detect and terminate rogue access points and unauthorized users. The IDS continually looks for suspicious signatures, such as invalid MAC addresses, non-applicable hardware vendors, and incorrect SSIDs. If a rogue or unauthorized user is found, most IDS systems, such as those from AirMagnet and AirDefense, can terminate the wireless connections of the applicable access points and users. From the wired side, IDS systems can also interface with wireless management platforms to block access from the offending station or disable the applicable access point.

  • Policy enforcement. Companies deploying wireless LANs can configure an IDS with appropriate security policies, such as the requirement of WPA for all client devices, allowed SSIDs and valid MAC addresses. The IDS continually monitors users and access points based on the policies. If any deviations from policies are found, then the IDS automatically secures the system and informs appropriate staff. The enforcement of policies is also useful in guarding against denial of service attacks because the IDS is carefully watching the network.Tracking Down Intruders

    If someone gets through security, the IDS has a very good chance of taking notice and performing effective countermeasures. The systems can also help find the persons implementing the malicious activity. Most of the IDSs have provisions for locating the intruders.

    For example, AirMagnet uses triangulation to pinpoint the location of unauthorized clients and access points. With this knowledge, a company can carry out pre-planned procedures that notify appropriate security personnel with information on where they can find the bad guys.

    Most IDS systems use separate sensors that a company installs throughout their facilities. For example, AirMagnet Enterprise 5.0 requires the installation of multiple AirMagnet SmartEdge sensors, which each monitor 802.11a/b/g activity in scan-only mode over a 50,000 square foot area. Up to 1,500 SmartEdge sensors interface to a single AirMagnet Enterprise Server. AirDefense has a similar solution. An advantage of using probes to perform the monitoring is that they operate aside from the operational wireless LAN.

    Some of the wireless switch systems, such as the one offered by Airespace, integrate IDS sensors into the access points. This approach is often less expensive to deploy than having dedicated sensors, assuming you install Airespace access points. The IDS data, however, must traverse the same wireless network as operational data, which could limit capacity available for higher end wireless applications. In addition, this solution is not vendor agnostic.Concluding Thoughts

    An IDS is invaluable for filling the holes that security mechanisms, such as authentication and encryption, don't cover. Definitely consider implementing an IDS if you have over ten access points. You'll sleep better at night.

    Jim Geier is the principal of Wireless-Nets, Ltd., a consulting firm assisting companies with the implementation of wireless mobile solutions.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox
More Insights