Unsecured Wi-Fi access points a concern
While Wi-Fi has provided significant benefits for enterprise customers, it also has generated significant headaches. “Rogue” access points operating without company blessing and potentially installed for industrial espionage are a real threat to a secure corporate computing environment.
According to security companies, federal regulations such as the HIPPA health care privacy act and Sarbanes-Oxley financial reporting requirements have pushed publicly owned companies to increase efforts to monitor and control Wi-Fi networks. In addition, the Department of Defense, in a directive issued in April 2004, established policies for securing and using commercial wireless devices and technologies — including Wi-Fi — in its worldwide information network.
Compounding matters, out-of-the-box security standards such as WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access) are “inadequate,” said Phil Solis, Wi-Fi analyst at ABI Research. “WPA2 will be available in the future, but it can be broken into if used with a password that can be found through a dictionary check. This isn’t new news.”
The abundance of unsecured Wi-Fi access points in operation around the world also is compounding matters, according to research conducted by Chris Hurley, author of “Wardriving: Drive, Detect, Defend.” In 2004, Hurley organized an effort to “wardrive” — search for open Wi-Fi access points — in cities around the world. More than 228,000 access points were discovered in operation, with less than 40% of them using WEP security. Even after ruling out home users, there’s a “lot of open equipment out there,” said Hurley.
Increasingly, organizations are moving to monitor Wi-Fi emissions regardless of whether corporate IT policies permit such devices.
“A third of our customers have no wireless LANs and want to make sure they don’t,” said Jay Chaudhry, executive chairman and co-founder of AirDefense, a leader in wireless LAN monitoring solutions. “We had not thought there would be such a big demand. Monitoring makes sure people are enforcing security policy. Unless you monitor the [airwaves], the policy is useless.”
Chaudhry said financial services customers don’t deploy wireless LANs because of security considerations and want to make sure that employees don’t set up unauthorized access points for their convenience.
Companies that start monitoring Wi-Fi emissions often end up surprised at what they find.
“The key thing for an enterprise is that many of them don’t realize they already have wireless [LANs],” said Karl Feilder, CEO and president of Red-M, another maker of wireless LAN monitoring gear. “[That] leaves them wide open.”
Feilder said about 80% of his company’s sales are to clients that believe they don’t have any sort of wireless LAN on the premises. Unfortunately, enterprise employees often install low-cost consumer Wi-Fi equipment without the knowledge or permission of the corporate IT staff.
“Nearly every one of them that [monitored for Wi-Fi] found they do have lots of wireless,” Feilder said. “Because there is no corporate plan for deployment, there is no wireless security plan.”
In three years of operations, AirDefense has accumulated about 350 customers, including clients in the Fortune 2000, health care sector and more than 50 government organizations, including the DOD. In addition, Cisco Systems and IBM both have selected the company’s solution for wireless security monitoring. Many customers first obtain a wireless LAN monitoring system for “cleansing the air” — establishing a baseline of radio frequency (RF) emissions in the area and to detect any unauthorized equipment — before rolling out a sanctioned Wi-Fi solution.
“I was personally surprised to see every customer was requiring monitoring security upfront before deploying [Wi-Fi],” Chaudhry said. “Our customers are in different states of deploying wireless LANs. While 80 to 85 percent of them have some degree of wireless deployment, only 20 to 25 percent have [a solution] deployed companywide. Others have divisional, departmental rollouts and lab testing going on to make sure it is secure.”
AirDefense’s solution uses a set of sensors deployed at key locations around the area to be monitored and a centralized server to correlate data. A single hardware sensor, built around a wireless LAN access point and loaded with the company’s specialized software, can provide coverage over two to three floors of an office building, or about 20,000 to 25,000 square feet of space. Each sensor contains a pair of radios that constantly scan 2.4 GHz and 5 GHz bands, looking for 802.11a/b/g wireless traffic on the airwaves and preprocesses wireless LAN packets it discovers before forwarding the suspect information via the corporate wired LAN network back to the server for further processing.
The server then analyzes collected traffic for the presence of unauthorized devices — logging what they are doing, time of day, bands being used — and looks for attacks such as network address spoofing and denial-of-service. Depending on the configuration, the server can do something as simple as send an e-mail alarm to a network manager. Or it can terminate a wireless connection, sending a message to a wired router to shut down the wired port of an unauthorized wireless device on the corporate LAN.
An entry-level system with four sensors and a server starts at about $7000 and offers coverage over eight to 10 floors of an office building. Server size is driven by the RF bandwidth traffic moving around, with a server able to process up to “several hundred” sensors in a light environment. Chaudhry said AirDefense’s largest customer had implemented a scaled solution to monitor 290 physical locations across five continents; the system is capable of monitoring 50,000 Wi-Fi devices using 1800 access points.
Red-M offers a slightly different solution for Wi-Fi monitoring. For about $800, a single Red-Alert PRO device about the size of a smoke alarm provides complete stand-alone monitoring of both Bluetooth and Wi-Fi usage. It has a built-in Web server and SNMP network messaging so it can be integrated into an existing wired LAN monitoring system with relatively little overhead. Multiple Red-Alert PRO devices can be deployed in combination with a coordinating server running Red-Detect and Red-Vision software for extended coverage in a building or campus environment. Red-Detect provides the ability to block unauthorized wireless devices while Red-Vision can import maps and floor plans for managing and coordinating hundreds of Red-Alert PRO devices.
Regardless of the tools, wireless LAN security currently is a moving target, according to Chaudhry.
“Eighteen months ago, the big worry was rogue access points, now it’s shifting to rogue stations,” he said. “The employee sits in the office, plugs into the wired LAN, and his wireless laptop becomes a wonderful bridge transmitting information to the building across the street. Wireless laptops are opening up back doors. Every company wants to make sure there are no back doors.” Other issues on the horizon include monitoring for abuse of short-range 2.4 GHz Bluetooth and longer-range WiMAX devices.
Complicating matters further is the evolution of sophisticated attack tools created by hackers and a corresponding lack of effective defense mechanisms, according to Don Bailey, a consultant with the Shmoo Group, a non-profit security collaborative.
“There’s a boatload of wireless [intrusion detection systems] being pimped to corporate types, and for the most part, they focus on keeping the wireless network admin aware that something terrible is going on,” Bailey said. “That’s hilarious because the wireless network admin is the regular network admin, and he doesn’t have time to save his users’ [rears] at the drop of a hat.”
However, Shmoo Group has developed “quite a dandy list” of publicly available wireless security tools over the past few years, Bailey said, including the Airsnort software package for WEP encryption monitoring and a “Sniper Yagi” that mounts a 14.6 dBi Yagi antenna for Wi-Fi monitoring onto a rifle stock for precision aiming of the antenna at a facility over long distances.
“There are some newer wireless attack tools on the immediate horizon that people might be talking about in the halls of ShmooCon [a computer security convention] in February,” Bailey said. “Sexy and evil stuff in my opinion.”
