Guideline for Safety Using Wireless LAN
Wireless LAN (WLAN) is now widely deployed in Hong Kong. You can find paid Wi-Fi hotspots in telephone kiosk, plaza, Internet cafes and hostel, or free Public Wi-Fi hotspots in public library, cultural and recreational centres, job centres, community halls, large parks and Government office buildings. Now, you only need a wireless device (e.g. Notebook, PDA, and Mobile Phone) with Wi-Fi (IEEE 802.11 b/g/n) capability to browse Internet anywhere. However, Wi-Fi has security vulnerabilities and if not properly deployed, it can bring about great security risks.
What is 802.11 and Wi-Fi?
Wireless LAN can be considered as an extension of the current LAN technology. Instead of using copper wired, Wireless LAN uses high frequency radio wave to transmit signals. If your home has wireless LAN device installed, you can connect to the Internet by radio wave. The common WLAN standards are IEEE 802.11a, 802.11b, 802.11g and 802.11n (collectively called Wi-Fi). They operate on unlicensed 2.4 GHz (b,g,n) and 5 GHz (a,n) bands. The popular WLAN standards 802.11b/g/n have 14 channels (in Hong Kong, use is limited to the first 11 channels), and the bandwidth is 11 Mbps (802.11b) , 54 Mbps (802.11g), and 300Mbps (802.11n). When the signal is weak or the environment is noisy, the negotiated bandwidth and the range of transmission are affected. Adding an antenna to the Access Point (AP) or the client can improve the performance. Some products use multiple antennas with multiple-input and multiple-output (MIMO) technology to increase data throughout and range. WLAN uses a shared medium so you can expect collision that lowers the effective bandwidth.
There are two modes of communication: ad-hoc mode specifying the client-to-client communication and infrastructure mode specifying client-to-hub communication. In the infrastructure mode communication, the hub or the Access Point connects all clients up to form a wireless network. Each network has a Service Set Identifier (SSID) to differentiate itself from the others. By default the Access Point broadcasts the SSID periodically to let users to locate the network.
Wi-Fi provides three encryption methods to enhance confidentiality of data traffic: Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and Wi-Fi Proctection Access II (WPA2).
The client and the AP must agree on a shared key before communication can be established.
Vulnerabilities and Risks of Wireless LAN
The greatest vulnerability of WLAN network is the lack of physical security. Unlike wired network, intruders do not need to enter your premise to connect to your wireless network and you have no good way of tracking who is connecting at any time.
The second security vulnerability comes from the default settings of the WLAN devices. The default settings are there for ease of deployment and compatibility. These settings allow non-technical users to connect and use WLAN without difficulty on day one. Most users and companies, however, do not change the default settings right after the deployment. Intruders can make use of this "convenience" to connect your network as well. These are the well known default settings in a WLAN access point (AP):
- No encryption used or using a default encryption key
- WPA/WPA2 enabled by default but simplify encryption key (e.g. default)
- Default SSID (e.g. WaveLAN Network, default, wireless)
- Default administrator name & password (and SNMP community string as well)
- DHCP enabled by default, automatically assign IP address to all connected devices
The third vulnerability comes from the current 802.11 WLAN technology. Firstly, 802.11 incorporates no authentication mechanism. Secondly WEP protocol uses static encryption key. Lastly, WEP is known to have a fatal flaw that allows collection of sufficient packets to break the encryption.The Temporal Key integrity protocol (TKIP) key used by WPA was broken.
The fourth vulnerability comes from WPA/WPA2. WPA/WPA2 provides Pre-shared key (PSK) algorithm for home use. If the pre-shared encryption key is weak, intruders can use brute force or dictionary attack to find out the encryption key.
The fifth vulnerability comes from Wi-Fi Protected Setup (WPS) Standard. It is used to easily connect a wireless device to wireless AP. However WPS is vulnerable by brute force attack, Once the WPS PIN was discovered by intruders, they can take control of the wireless AP.
The last vulnerability is the weakest link of human. Some people deploy WLAN for sensitive services without carrying out a study of the risks associated with using WLAN technology. Some companies do not control their staff connecting APs to their internal network which opens a backdoor to intruders and rendering the perimeter firewall and internet antivirus gateway useless.
The consequences of any intruder connecting to your WLAN network are:
- Network resources (e.g. Internet bandwidth) being misused and productivity being affected.
- Information leakage due to network sniffing by intruders outside your premise where you have no control of access.
- Malware infection by intruders.
- Damage to confidentiality, integrity and availability when system is penetrated by intruders.
- Intruders can launch attack from your network against external targets, and shift the legal liability to you.
All damages can be transformed to financial, trust and reputation loss. You might even bear legal liability by allowing this to happen (e.g. violation of agreement of usage, and claim of loss when your network was being used for hacking attack).
Wireless LAN Security Checklist
Here is a checklist to secure your WLAN deployment.
General Checklist to Home and Business Use of WLAN
- Physical Security
- Do not put the WLAN Access Point (AP) close to door or window. Ensure that the signal does not extend beyond the required area.
- To ensure that unauthorized people cannot tamper with your router, try to place it in a physically secured location.
- Some routers allow you to reduce the output power of the device. To minimize leakage outside the coverage area where the wireless network is meant to serve, adjust the signal power, if possible. Wi-Fi signal power can reach up to 1 km.
- Use directional antennas to control the coverage of a wireless network.
- Power-off when the Access Point is not in use.
- Change the default user name and password
- Change the default administrator name and password of Access Point management interface. This information is easily obtained on the Internet. If you do not change them, intruders can break into the management interface easily.
- Encryption of communication
- Do not use WEP and WPA with TKIP. These algorithms had been broken. Please use WPA2 with AES encryption.
- If WPA/WPA2 encryption is used with Pre-shared key method, construct a strong passphrase of minimum 20 characters including a mix of alphabets and numbers.
- To further improve the security over time, change the WPA2 encryption key periodically.
- Securing SSID
- Change the default SSID. The new SSID should not relate to any personal or company information, which is easy for the intruders to guess.
- If possible, turn off the SSID broadcast (some AP manager GUIs provide such function, sometimes called "closed network"). In this case, you have to inform individual users the SSID.
- Controlling access to authorized WLAN card
- Turn on MAC address filter to allow only authorized WLAN card to associate the AP. This method only applies to the environment where there is non-frequent addition/removal of WLAN card, such as home or SME.
- Controlling the IP network
- Disable DHCP service on the AP. Use static IP address on wireless LAN client. Client without valid IP address cannot connect. This method is only applicable at home or SME.
- SNMP configuration
- Do not enable SNMP as far as possible.
- If SNMP is essential, please note:
- Make sure you change the default SNMP name and community string. Use a longer SNMP community string with mix of numbers and alphabets.
- Enable SNMP access control list (ACL) to control who can configure the AP.
- For security over time, change the SNMP community string periodically.
- Additional functions for Access Point
- Some AP products have built-in function to isolate WLAN client to client communication. This function has different name in different products(e.g. AP Isolation, Privacy Separator). Enable the function to enhance WLAN client security.
- Some AP products can reject clients with SSID set to "Any". "Any" in SSID allows the client connecting to AP of any name. This denial of "Any" function can make the attack much more difficult.
- Some AP products provide a new method named Wi-Fi Protected Setup (WPS) to configure encryption function. User can choose this product for easy setup and with best security. WPS is vulnerable by brute force attack and it is strongly recommended to upgrade the firmware for mitigation of this vulnerability or disable this feature.
- Mobile Computing Security
- Most probably you are using WLAN with mobile devices. Make sure you observe other mobile security issues (e.g. theft of hardware, lack of protection from corporate antivirus gateway and firewall) and deploy appropriate protections.
- Behavioral Security
- Do not reveal your SSID, encryption key and other security configurations to the third parties. When in doubt, change these settings.
- Legal and Ethical Liabilities
- Unauthorized access of information system is a criminal offense. Do not try to connect to others' wireless networks and systems for curiosity, research or other intents. If you find out your neighbors having insecured WLANs, please inform them to get it fixed. As a responsible person, please do not disclose this vulnerability with owner name and location to a third party.
Additional Checklist for Corporations
- Proper use of technology
- For very sensitive and serious services, you have to assess the risk of WLAN before taking it as an option. Put in your budget the extra cost of management and security strategies in WLAN security protection before deploying WLAN.
- Management Policy
- Do not allow the staff to set up their own access point.
- Define the types of information that are not allowed to be sent over WLAN.
- Define the procedure of reporting the loss of WLAN device.
- Keep an accurate inventory of all WLAN devices
- Assign a separate WLAN and SSID for the guest user.
- Remove all configuration and sensitive information from the WLAN device before disposal.
- Configuration Standards
- Disable all insecure and unused management protocols of AP and configure it for least privilege.
- Enable the AP access threshold parameters, such as inactivity timeouts and maximum supported associations.
- Enable the AP logging features and forward the log entries to a remote logging server
- Disable the ad-hoc mode of wireless client device.
- Connect APs to network switches (instead of hubs) to avoid communication sniffing.
- Incorporate the enterprise login system (such as RADIUS and Kerberos) for authentication
- Adopt the latest authentication option, such as Extensible Authentication Protocol (EAP) to get the higher protection level.
- In April of 2010, the Wi-Fi alliance announced the inclusion of additional EAP types to its certification programs for WPA and WPA2 Enterprise certification programs. EAP allow the client to use server certificate to authenticate the AP which can reduce the risk of connecting to spoofing AP.
- Security Protection and Risk Mitigation
- Treat WLAN as untrusted network. Segment wireless traffic in a separate network. Install a properly configured firewall between the wired infrastructure and the wireless network to manage traffic going into the internal network or service network.
- If you provide WLAN for staff and guests, separate the two WLAN networks.
- Deploy Network Intrusion system (WIPS/WIDS) which support rouge AP Identification and Denial of Service protection such as AP flooding.
- Limit the services provided in WLAN, especially guest WLAN. Apply access control and quality of service control to ban unallowed traffic or unwanted overuse of bandwidth.
- Security Assessment
- Wireless site survey should be conducted to tune the power of APs to provide just sufficient coverage and roam capability.
- Wireless vulnerability assessment should be performed regularly to look for the enforcement of security policy, unknown wireless devices or security threat due to misconfiguration or device vulnerability.
- Use Upgradable Solution
- WLAN technology is evolving quickly. When choosing a WLAN solution, ensure AP and wireless card can update the firmware. Keep WLAN devices firmware update periodically.
Tips for End-users using Public Wireless Services
Once you have a wireless device connected to public wireless hotspots, you are exposing yourself to potential attacks from remote attackers. The following security tips may help you in preventing the potential attacks:
- Precautions when accessing the Internet via public Wi-fi
- Public Wi-Fi is an untrusted network. Without proper security controls, do not send sensitive / personal information over a public Wi-Fi network.
- Remove the public Wi-Fi AP from your preferred "Wi-Fi network list" after use. An attacker can set up a fake Wi-Fi AP which impersonates the Wi-Fi network on your preferred network list. Your computer/device may automatically connect to the fake Wi-Fi network.
- Do not leave your computer/device unattended.
- Configure security technologies for your computer/device:
- Baseline security protection: Use firewall, anti-virus and anti-spyware software, and keep system and application patches up-to- date.
- Enable your computer/device's power-on login, system login authentication, and password-protected screensaver.
- Turn off all resource sharing protocols for your Wi-Fi connection.
- Turn off LAN connections when using Wi-Fi (attacker can sneak into the wired LAN through Wi-Fi network if network bridging is enabled)
- Turn off Wi-Fi connection when it is not in use.
- When possible, choose public Wi-Fi AP that provides encryption.
- If you need to communicate sensitive and personal data, use encryption technologies, for example SSL protected websites and email communication.
- Verify the identity of access point (AP) to be connected:
- Verify the certificate of the AP if it is provided.
- Check the authenticity of a "captive portal":
- A "captive portal" is a webpage prompted before you can browse any other websites when first connecting to a public hotspot. To prevent being conned by a fake captive portal, user should also verify the server certificate of the portal website.
- Further protection:
- If you need to access sensitive information in corporate network via public Wi-Fi, you should use virtual private network (VPN) over Wi-Fi network.
- If you use VPN, be sure to disable "split tunneling", when using VPN, to enforce all network traffic going through the corporate network to take advantage of protections provided by your corporate network gateway filtering.
There are a number of other security measures you can apply. Nevertheless, these security tips provide a good start for protecting wireless devices and your personal information when connecting to a public wireless networks.