Risk Management of Wireless Networks

An anonymous reader writes "As wireless becomes a bigger part of our networks, those of us charged with maintaining them find ourselves also responsible for keeping drive-by script kiddies with a Pringles can out. BankInfoSecurity.com is running an excellent article on identifying and mitigating risks on wireless networks. The article was written by members of the Office of the Comptroller of the Currency (OCC) for banks, but it's applicable to any network environment and clearly lays out all the key steps to protecting wireless systems." There's nothing new here, really, but it's a good overview of issues to keep in mind when building a wireless net, as well as a good security plan starting point.

Banks?

I'm sorry, but banks should not be using wirless networks. Yes, yes, I realize wires are inconvenient, but they are much more secure. This is the customer's money and lives they're dealing with, not just some company secrets.

Re:Banks?

[chihowa]

Exactly.

I'd say that one of the most difficult (and dangerous (getting caught-wise)) aspects of getting info off of a network is actually getting yourself into the network. Having a wireless link in removes a great deal of the danger (of getting caught), and leaves the intruder plenty of time to do the job more efficiently (making security's job harder).

A big fat lock on the door keeps most intruders out. (and WEP and MAC filtering don't count as locks)

Wireless should not be used for sensitive info

[stuph]

I have great doubts that say, the government will ever allow sensitive or classified information to go on a wireless link, even if it is "secured".. there's just too much freedom in the air between origin and destination.
Fiber should continue to be used for any info that could be considered sensitive at all.. but then again, who am i kidding.. businesses just want things to be easy, not safe

Re:Wireless should not be used for sensitive info

[Frennzy]

The government already uses wireless links for data. Ever heard of satellite communications?

Back to the point, 802.11 networks are inherently insecure.

WEP is fairly trivial to crack for someone determined to break in. The problem lies in the init vector of the key, not the length of the key.

SSID 'hiding' achieves nothing...the first time your box associates or reassociates, a listener has your SSID.

WPA is not as secure as people think either, even with a PSK. This was covered on /. a week or so ago (or was that Ars?)

MAC filtering is beyond trivial...most NIC drivers nowdays allow you to set your MAC...which you could easily see on a target network while hunting.

You can make your home network more effort than it's worth to hijack...but for business use, make damned sure you want that traffic exposed...because you simply have to assume it will be. I wouldn't install wireless client access in a work environment without the use of VPN. I've heard some interesting theories about getting past even *that*, but I've never seen or heard a practical way to do it.

Unless and until I see some more thorough reviews of the newer 802.11 security standards (EAP and it's variants) I wouldn't implicitly trust them...however I do get the feeling they are going to be far more difficult to compromise.

As mentioned in a previous post, there are a number of problems with wireless that many people don't think about, especially in a corporate environment. One of the worst is the rogue AP. I've found no less than three unauthorized WAPs on networks I've run in the last three years. Each time it was a (l)user who brought it and just plugged it into their switch port so they could 'use their laptop'. Each time, the AP was completely wide open. So much for the quarter-million-dollar security infrastructure of firewall, VPN, IDS, etc. They might as well have run a wire outside the building and hooked up a PC with a sign that said 'Free Corporate Access!'

There is yet another problem with rogue access points. Someone who brings one into close proximity with your wireless users. Guess what information the blackhat can get in that scenario?

Re:Reducing Risks of Wireless Networks

[azuretek]

"I felt like calling him to thank him for the free wireless access. :)"

You should have, if he's left his network open for everyone to use and he's bright enough to change the network ID then I'm sure he did this on purpose. I do the same and I expect others to do the same so that we can all get free net anywhere we go.

Re:POP passwords are the biggest risk I see out th

[micsaund]

The problem with plaintext POP passwords is that many ISPs (mine included) do not offer any other option. I wish they would, but they do not.

Thus, I just choose a mail-only password that I use for POP access. I guess a hacker could read my e-mail and maybe even send mail as me, but I've done what I can to minimize the risk of stupidly designed mailservers.

Re:SSIDs and WEP

[Zocalo]

Yes, it's security through obscurity, and not very opaque obscurity at that, but that's not really the point. It's more of a deterrant to stop the casual cracker, rather than the determined one. It's kind of like not responding to ICMP pings; by default a lot of port scanners don't scan an IP that fails to respond to a ping. Blocking pings prevents full port scans from those that don't know any better. It also prevents scans from those that do know about this, but work to the assumption that if you are blocking pings, then you probably have a firewall and who knows what else and move onto the softer target a few IPs along.

Besides, for me at least, wireless isn't about performance, it's about the convenience factor. I like being able to take my laptop out into the garden when the sun shines without a 20m CAT5 umbilical cable shoved through a window!

script kiddies

[SparafucileMan]

As wireless becomes a bigger part of our networks, those of us charged with maintaining them find ourselves also responsible for keeping drive-by script kiddies with a Pringles can out.

Nevermind the professional hackers with a 12db antenna engaged in corporate espionage...

I mean seriously, I think the scR1pt k1Dd13 n00bs are the least of our problems.

Re:SSIDs and WEP

As people've said before, your MAC list is only effective is no one ever uses it. As soon as a whitelisted computer logs on their MAC's all over the air. Clearly this can't work for a financial institution. WEP, WAP, etc... all seem poorly implemented (however newer routers seem to nix airsnort pretty effectively by not using weak IVs). No SSID makes the AP silent to NetStumbler but any nix hacker with Kismet will see the anonymous beacon packets.

As for a honeypot to distract attackers, that may be interesting, but if you really care it'd be more interesting to get around to setting up an encrypted VPN.

This paranoia about sending information over the air is unwarranted; there're plenty of working encryption systems out there, if only they're implemented correctly. If you want a quick solution, setup a squid proxy and then tunnel your connection to it over ssh. But banks should have specific VPNs on top of the more obvious measures.

A doctor replies

[The+Tyro]

Tell him... gently.

Explain to him that you're a hardcore networking geek with an interest in security, and that you often run security checks against your own systems. You were there, running one just for kicks, and viola! You are a patient of his presumably, so you already have a relationship and rapport... it would be different if you were some joe-blo off the street who came waltzing into his office running kismet on your Zaurus.

He probably has NO CLUE that whoever set up his network has left it open to be plundered (tech-saavy doctors are rare. Thinking about all my colleagues, I can count the tech-saavy on one hand).

Take him aside privately, and explain to him that you were hesitant to come forward (for obvious reasons... like being labeled a cracker), but that you really felt he should know what was up, not only for the security of your own medical records, but also for the security of everyone else's. Heh... he might even hire you to help fix it.

You will likely find him VERY receptive if you approach him the right way. I'm quite certain he contracts his IT stuff out to somebody, so he probably has ZERO emotional investment in the security of his network... he just wants it to work, and pass HIPAA muster (which it probably doesn't right now).

I bet he'd be receptive.