Risk Management of Wireless Networks

An anonymous reader writes "As wireless becomes a bigger part of our networks, those of us charged with maintaining them find ourselves also responsible for keeping drive-by script kiddies with a Pringles can out. BankInfoSecurity.com is running an excellent article on identifying and mitigating risks on wireless networks. The article was written by members of the Office of the Comptroller of the Currency (OCC) for banks, but it's applicable to any network environment and clearly lays out all the key steps to protecting wireless systems." There's nothing new here, really, but it's a good overview of issues to keep in mind when building a wireless net, as well as a good security plan starting point.

Banks?

I'm sorry, but banks should not be using wirless networks. Yes, yes, I realize wires are inconvenient, but they are much more secure. This is the customer's money and lives they're dealing with, not just some company secrets.

Re:Pringles Can?

[frankmanowar]

It seems you can make a wirelss antenna out of a pringles can.

The key to it all is education.

[James+A.+C.+Joyce]

I think that the problem is that there are a lot of people who are hearing of the WiFi craze, hearing that it is a good idea, and then setting up these adhoc networks. The problem is, they often don't bother to read up about the potential security risks of misconfiguration and so if (when?) they mess up, there's a wide open hole right there.

(And no, "wide open hole" isn't a goatse link :-))

VPN

[Munkey_123]

Just have your wireless devices set to a DMZ that opens to one page, a VPN portal. Then you have a wireless connection, with VPN providing your security. Voila...a little bit more cumbersome, but isn't your network integrity worth it?

SSIDs and WEP

[USAPatriot]

Ars Technica has a good summary of what you can do with SSID's and WEP to improve your wireless network's security:

Security Practicum: Essential Home Wireless Security Practices

POP passwords are the biggest risk I see out there

[Twid]

I've had some fun sniffing the network around the office, around town, and at O'Reilly OSXCon, and I think the biggest security risk I see on wireless networks are plaintext POP passwords going out in-the-clear.

It's amazing how many people who should know better are still using plain POP for grabbing their mail. Since most mail client recheck for mail every few minutes, it's quite simple to grab passwords. Using those password, a hacker can then try the same password to enter the network, read the person's e-mail to do subsequent social engineering, or just fish around the person's e-mail for interesting information.

The second thing I think most people don't realize is that on a standard wireless network all the HTTP url's they are surfing to with a web browser are public. This may not be a security risk, but companies also may not want a hacker in the parking lot to know that a server named secretinternaldata.mycompany.com exists.

I set up an SSH tunnel from my laptop to my squid proxy at home just for fun to see if I could fix the issue. It worked well, but of course it's not something the average end-user with a laptop on wireless could manage.

Anyway, that's my .02.

Reducing Risks of Wireless Networks

[gellenburg]

Disclaimer: I work in Information Security.

• APs should be configured so as not to broadcast their SSID.
• 128bit WEP keys should be chosen.
• • WEP keys should be changed as frequently as practical.
  • APs should be firewalled, and on their own DMZ.
  • If the AP supports it, consider MAC Address filtering by only allowing authorized MAC Addresses.
  • If the AP supports it, consider additional authentication such as RADIUS.

But, by all means:

• Please change the damned default SSID that was configured on your AP:
  • Linksys
  • Default
  • Netgear

We now return you to your regularly scheduled programming.

Re:Reducing Risks of Wireless Networks

[Twid]

Please change the damned default SSID that was configured on your AP

A funny aside:

I was in Park City visiting friends over the holidays. The ISP for the friend that I was staying at went out of business, so I walked around the house looking for another wireless AP.

At one corner of the house, I find one, and the name is the first initial and last name of the person running it. It's not running with any security so I'm able to hop onto the net. So, I feed in his first initial and last name and "park city" into google (on his own wireless, even) and google gives me his home address and phone number.

I felt like calling him to thank him for the free wireless access. :)

Re:POP passwords are the biggest risk I see out th

[gvc]

I agree 100%.

The hoopla about physical access security obscures the point that *all* internet traffic and most intranet traffic is viewable by others. It is a good idea to assume that all your networks are open and to use VPN, ssh, etc. to secure your data. And *never* send plain-text passwords.

If you lock your data down under this assumption (that all network traffic may be intercepted) the impetus for clunky and insecure wireless access restrictions is much diminished.

Conduct Wireless Audits

[lewko]

If you are responsible for a company's security, you should regularly search for wireless nodes within your organization which you are not aware of WHETHER OR NOT you are using wireless as policy.

I have been asked to assess companies and offered a wireless audit. They said "we don't use wireless". I checked anyway, and it turned out they DID have wireless (but didn't know about it) thanks to in one instance, a laptop acting as an AP and in another, a sysadmin who figured he'd plug in a wireless AP with built-in switch instead of a hub or switch, and wireless was turned on. This is all the more problematic as the laptop and wireless device were both inside the firewall and therefore represented a major hole.

Intruders may also leave wireless devices behind to save coming onto the site for subsequent eavesdropping. That is, they will bring your network to them rather than bringing themselves to your network.

In any case, fire up your stumbling application, a GOOD antenna and have a look around your own environment. You may be surprised what you see!

Re:Wireless should not be used for sensitive info

[Frennzy]

The government already uses wireless links for data. Ever heard of satellite communications?

Back to the point, 802.11 networks are inherently insecure.

WEP is fairly trivial to crack for someone determined to break in. The problem lies in the init vector of the key, not the length of the key.

SSID 'hiding' achieves nothing...the first time your box associates or reassociates, a listener has your SSID.

WPA is not as secure as people think either, even with a PSK. This was covered on /. a week or so ago (or was that Ars?)

MAC filtering is beyond trivial...most NIC drivers nowdays allow you to set your MAC...which you could easily see on a target network while hunting.

You can make your home network more effort than it's worth to hijack...but for business use, make damned sure you want that traffic exposed...because you simply have to assume it will be. I wouldn't install wireless client access in a work environment without the use of VPN. I've heard some interesting theories about getting past even *that*, but I've never seen or heard a practical way to do it.

Unless and until I see some more thorough reviews of the newer 802.11 security standards (EAP and it's variants) I wouldn't implicitly trust them...however I do get the feeling they are going to be far more difficult to compromise.

As mentioned in a previous post, there are a number of problems with wireless that many people don't think about, especially in a corporate environment. One of the worst is the rogue AP. I've found no less than three unauthorized WAPs on networks I've run in the last three years. Each time it was a (l)user who brought it and just plugged it into their switch port so they could 'use their laptop'. Each time, the AP was completely wide open. So much for the quarter-million-dollar security infrastructure of firewall, VPN, IDS, etc. They might as well have run a wire outside the building and hooked up a PC with a sign that said 'Free Corporate Access!'

There is yet another problem with rogue access points. Someone who brings one into close proximity with your wireless users. Guess what information the blackhat can get in that scenario?

A doctor replies

[The+Tyro]

Tell him... gently.

Explain to him that you're a hardcore networking geek with an interest in security, and that you often run security checks against your own systems. You were there, running one just for kicks, and viola! You are a patient of his presumably, so you already have a relationship and rapport... it would be different if you were some joe-blo off the street who came waltzing into his office running kismet on your Zaurus.

He probably has NO CLUE that whoever set up his network has left it open to be plundered (tech-saavy doctors are rare. Thinking about all my colleagues, I can count the tech-saavy on one hand).

Take him aside privately, and explain to him that you were hesitant to come forward (for obvious reasons... like being labeled a cracker), but that you really felt he should know what was up, not only for the security of your own medical records, but also for the security of everyone else's. Heh... he might even hire you to help fix it.

You will likely find him VERY receptive if you approach him the right way. I'm quite certain he contracts his IT stuff out to somebody, so he probably has ZERO emotional investment in the security of his network... he just wants it to work, and pass HIPAA muster (which it probably doesn't right now).

I bet he'd be receptive.