Securing 802.11 wireless LANs


Wireless LANs often propagate data to areas outside the physical control of an organization. Radio waves penetrate building walls and can be received in the office next door, a facility's parking lot, and possibly a couple blocks away. Do you worry that someone could retrieve your company's sensitive information by lurking nearby with a PC equipped with the wireless network interface card your organization uses? Relax -- it's not that easy.

An IEEE 802.11 wireless station will not process data over the wireless network unless its network ID, also called a Basic Service Set Identification, is the same as other stations on the network. Sent in every 802.11 data packet, the network ID is a six-byte code word that distinguishes one wireless LAN from another. Access points check the network ID when each station initiates a connection to the network. If the ID doesn't match the one stored in the access point, then the station cannot establish a connection to the wireless LAN. Thus, an intruder must obtain the network ID necessary to join the network. This should be difficult, assuming you keep the network ID codes confidential.

With the correct network ID, someone could configure a portable computer with an appropriate radio card and gain access to your wireless LAN. The trespasser shouldn't get very far, however, if your servers and applications require a username and password. Always invoke security mechanisms when giving users access to sensitive applications and data.

You can provide another level of security by using 802.11's Wireless Equivalent Privacy (WEP) protocol. Most wireless LAN vendors offer WEP as an option for their standard radio cards and access points.

One WEP feature, shared key authentication, ensures that only authorized stations can access the wireless LAN. Shared key authentication operates as follows:

  1. A station requesting 802.11 service sends an authentication frame to another station.
  2. When a station receives an initial authentication frame, the station replies with an authentication frame containing 128 octets of challenge text.
  3. The requesting station copies the challenge text into an authentication frame, encrypts it with a shared key using the WEP service, and sends the frame to the responding station.
  4. The receiving station decrypts the challenge text using the same shared key and compares it to the challenge text sent earlier. If they match, the receiving station replies with an authentication acknowledgement. If not, the station sends a negative authentication notice.

Another way to compromise a wireless LAN is to use specialized equipment to capture information bits being sent over the air, decode them, and read the contents of email, files, or financial transactions. This doesn't necessarily require the network ID because the monitoring equipment doesn't need to establish a connection to the wireless LAN. The equipment passively listens to the transmissions as they propagate through the air. However, this process does require the proper monitoring equipment to correctly demodulate the received spread spectrum signal.

This security problem also exists with wired Ethernet networks, but to a lesser degree. Current flow through the wires emits electromagnetic waves that can be received with sensitive listening equipment. This method necessitates a much closer proximity to the cable to receive the signal, so the intruder must generally be within the physical boundaries of the company.

To avoid this problem on the wireless LAN, use WEP to encrypt transmissions between stations to avoid disclosure to eavesdroppers. WEP uses the RC4 encryption engine and a 40-bit key. Stations can also utilize WEP without authentication services, but I recommend implementing both WEP and authentication to minimize your vulnerability to packet snooping.

Stay tuned. Next time we'll discuss the wireless middleware that is critical for maintaining reliable communications over a wireless network.

ITWorld DealPost: The best in tech deals and discounts.