Why Your Firewall, VPN, and IEEE 802.11i Aren´t Enough to Protect Your Network Overview

Like any network technology, wireless local area networks (WLANs) need to be protected from security threats. Though recent developments in IEEE standards have been designed to help ensure privacy for authenticated WLAN users, WLAN clients and enterprise infrastructure can still be vulnerable to a variety of threats that are unique to WLANs. Mischievous hackers may try to attack the network, or a negligent employee may create a security breach that leaves the corporate WLAN or a client device vulnerable to attack. These threats cannot be mitigated by traditional firewall technologies and virtual private networks (VPNs), nor eliminated through encryption and authentication mechanisms used in conventional enterprise network security systems. With a comprehensive approach to WLAN security, an intrusion detection and prevention system (IDS/IPS) for WLANs adds to IEEE standards-based technology and wired network security mechanisms. An IDS/IPS specifically designed for WLANs addresses the risks associated with this networking technology.

A new class of security threats to enterprise networks

The prevailing model of enterprise network security is rooted in the axiom that being "physically inside is safe and outside is unsafe." Connecting to a network point within the enterprise is generally considered safe and is subject to weaker security controls. On the other hand, tight security controls are enforced at the network traffic entry and exit points using firewalls and VPNs.

A WLAN breaks the barrier provided by the building perimeter as the physical security envelope for a wired network because invisible radio signals used by the WLAN cannot be confined within the physical perimeter of a building, and usually cut through walls and windows. This creates a backdoor for unauthorized devices to connect to the enterprise network. Some specific security threats from WLANs are described below.

Rogue APs: WLAN Access Points (APs) are inexpensive, easy to install, and small enough to be carried by a person. Unauthorized WLAN APs can be connected to an enterprise network unwittingly or with malicious intent—without the knowledge of IT—by simply carrying the device inside the enterprise and connecting it to an Ethernet port on the network.

Since rogue APs are typically deployed by employees looking for quick wireless access, they are usually installed without any WLAN security controls (such as Access Control Lists, Wired Equivalent Protocol, 802. 1X, 802.11 i, etc.). These can be connected to virtually any Ethernet port on the network, bypassing existing WLAN security control points such as the HP ProCurve Intelligent Mobility System (IMS) and firewalls. The radio coverage of rogue APs cannot be confined within the building perimeter of the enterprise, meaning that unauthorized users can connect to the enterprise network through these rogue APs using their radio spillage. The invisibility of wireless medium makes this kind of access difficult to prevent.

Soft APs: With client cards and embedded WLAN radios in PDAs and laptops, a threat called "soft AP" is on the rise. A soft AP functions as an AP under software control and can be launched inadvertently or through a virus program, allowing unauthorized users to connect to the enterprise network through soft APs using radio spillage.

MAC spoofing: APs in a WLAN transmit beacons (or probe responses) to advertise their presence in the air. The beacons of an AP contain information about its MAC address, which is its identity, and SSID, which is the identity of the network it supports. Wireless clients listen to beacons from different APs in the vicinity. Clients typically connect to an AP that advertises the desired SSID and transmits a strong beacon signal. A number of WLAN AP models available in the market allow their MAC addresses and SSIDs to be user defined. APs as well as many software tools enable setting of MAC addresses and SSIDs of AP devices to virtually any user-defined values.

In MAC spoofing, the attacker programs the AP to advertise exactly the same identity information as that of the victim AP. A MAC spoofing AP can also launch disruptive attacks such as packet dropping and packet corruption and modification. A MAC Spoofing AP can even connect to the wired enterprise network as a rogue AP and evade detection by conventional site survey tools. In addition, a MAC spoofing AP can lure authorized wireless clients in the enterprise WLAN into establishing a connection and providing confidential information.

Honeypot APs: Wireless networks can coexist in the same space, enabling users to connect to any available network, whether one´s own network or another network in the vicinity with overlapping radio coverage. This access to co-existing WLANs can be exploited by intruders who set up an unauthorized wireless network by powering on an AP in the vicinity (e.g. street or parking lot) of the enterprise wireless network. These APs, called "Honeypot" APs or "Evil Twins," entice authorized enterprise clients into connecting to them by transmitting a stronger beacon signal and MAC spoofing. An authorized user unwittingly connecting to a Honeypot AP creates security vulnerability by inadvertently providing sensitive information such as its identity. Authorized wireless clients in the enterprise WLAN can also accidentally connect to non-malicious neighboring APs called "client mis-associations," creating security vulnerability as the wireless clients may inadvertently provide confidential information to such APs.

Denial of service: WLANs are being increasingly entrusted with carrying mission-critical applications such as database access, VoIP, e-mail, and Internet access. These applications can be disrupted by a denial of service (DoS) attack, causing network downtime, user frustration, and loss of productivity.

Because 802.11 WLAN transmissions are a shared medium, they are easily susceptible to DoS attacks. Additionally, "soft spots" in the 802.11 MAC protocol can easily be exploited to launch DoS attacks. DoS attacks such as authentication, association, de-authentication or disassociation floods, NAV attacks, CTS floods, and EAP and EAPOL message floods are easy to launch and can bring down the entire enterprise WLAN.