Wireless networking is everywhere. It has permeated our day-to-day world so much that we are not even aware when a device connects to a trusted network or when we buy a product with a wireless interface. Networks are never able to be truly secure. As long as a person is using a network, and moving devices between networks, there is a risk of a network being penetrated. Good design practices, some planning and a little thought, allow us to take practical steps that reduce the risk of an attack on our network. In this case, we’ll take a closer look at securing the wireless entry points to the network.
There are two distinct types of wireless networks you will find in a security network. The first type is a 5Ghz point-to-point wireless network that is used for connecting parts of the security network where cabling is not available. The second type is the typical Access Point Wi-Fi network, usually operating on 2.4 Ghz, that is used as a means of connecting PCs and handhelds to the network. Regardless of the type of network the same basic security principles apply.
Each new wireless device that is added to a network becomes a potential entry point to that network. The 802.11 series of wireless standards that the technology is built on were designed to be open and visible to the world. It was designed to provide a connection by default to any device that is in range.
A typical range of a 2.4Ghz omnidirectional access point, without any boosting technology, is from 46 meters (indoors) to 92 meters (outdoors). You would think that the intruder must be within that range to successfully connect to your network. Unfortunately, that is NOT the case. A $20 antenna booster can allow an intruder to sit outside the normal range of your Wi-Fi and work on getting connected to your network. The same principles apply to a 5Ghz network except that the intruder may need an external 5 Ghz directional antenna which is available for about $100. The moral of this story is that physical separation of the network may not only be ineffective, it may actually provide an illusion of security.
Another common attempt at protecting a wireless link is to hide the broadcasted name of the network – the SSID. The Wi-Fi Access point broadcasts its name in order to solicit connections. The Wi-Fi client registers to the SSID and then starts a four way handshake to negotiate a connection. Why not increase security by configuring your network to NOT advertise your SSID? Unfortunately, this too is a dead end, since the devices connecting to that network must then be configured to constantly advertise a request to link to that network. Instead of the Access Point doing the advertising, the remote devices are now advertising the presence of a “hidden” network.
Since it is impossible to isolate a wireless network from the surrounding world, the first line of defence rests in encryption. Encryption allows for communication between two devices to be mathematically encoded and decoded using one or more ciphers or “keys”. The first Wi-Fi encryption to be in common use was Wired Equivalent Privacy (WEP) which was in use from 1999 through 2003. This standard is notoriously weak and can be cracked in a few minutes with a laptop and some freely available software. WEP was replaced with Wi-Fi Protected Access (WPA) in 2003. WPA has morphed into WPA2 which supports a 256-bit key. WPA2 is currently considered to be adequate security provided the code used to create the key is a completely randomized mix of 12 or more characters. Any key partially based on a phrase, address or phone number can be hacked if the intruder has some idea of the base of the code.
The challenge with encryption is that it depends on the security of each end device. If one of the devices involved in the encrypted link has another security vulnerability, then the entire system is at risk. An independent security firm, Security Evaluators, found that many routers only a few years old had vulnerabilities that were published but had never been patched.1 Any owner of one of these routers is at risk of intrusion. If you have an older router either replace it or search out the router model on a registry of vulnerable devices. A wireless intruder has other tricks to fight against encryption as well.
If your laptop or phone is set to automatically connect to a network, what if someone makes their laptop appear to be the access point on which you would connect? Your laptop would connect to a device they control and they would then be able to plant malware on your laptop and gather data to hack into the “real” access point.
The best way to supplement good encryption is to add other means of authenticating your connection to the network. For a mid to large size network with devices that are constantly connecting and disconnecting a Radius or AAA (Authentication, Authorization, Accounting) Server allows for additional checks based on your PC’s information. This system also allows for controls on what you have rights to access and does some accounting of your session. Anything not matching the AAA Server permissions results in a session being denied.
If you are using a 5Ghz connection for adding remote devices to your network, there are additional steps you can take to secure your network. If the link is point-to-point, then the manufacturer should have a feature to “MAC Lock” the two radios together. Use the strongest possible encryption and a minimum 12 digit randomized password for the key generation code. Finally, in order to proceed with an attempt to hack this system the intruder would likely need to sniff the connection during a reboot. Protect the power for these devices and monitor the system for unexplained rebooting or power cycles.
The next layer of protection to consider may already be present in your network – the managed switch. Most current managed switches allow for MAC locking of devices. This means that each authorized device in the wireless system is “locked” to that port. This prevents an unauthorized MAC address from connecting to the system. A clever intruder will be ready for this and will have a plan to capture an authorized MAC address and clone it on their device. The second feature of the managed switch is the capacity to use ACLs (Access Control Lists) to screen out or limit unwanted traffic on the switch. This type of security is useful since it provides an impediment to the intruder within the rings of security that you’ve already created. Furthermore, violations of the ACL rules can be forwarded to an Intrusion Detection System for analysis. If the ACL violations match a certain pattern or occur in a rapid burst, the Intrusion Detection System can shut down the offending link or notify you that something isn’t right.
Concerns about security with wireless systems are very real. The technology is open, unconstrained by walls, easy to work with and well understood. Anyone doubting this can Google “Wifi Hacking Tools” to see what kind of tools are publicly available to would-be intruders. The security of your wireless system need to be kept current. Plan to periodically review the security of any wireless components of your security system as part of an overall plan to keep your network and your intellectual property safe.
If you’d like more information on Network Security we would be happy to hear from you. We can be reached at 905-990-4845 or info@fancomni.com Fancom Communications Engineering is the first step in assessing, planning and implementing or changing your secure network structure before intrusions happen! Contact us today to discuss.
References
1 https://www.cnet.com/news/top-wi-fi-routers-easy-to-hack-says-study/ by Seth Rosenblatt April 17, 2013