Securing Wireless Network Traffic (Part 5)

Introduction

So far in this article series, I have talked about some of the various security features that are commonly built into wireless access points. Now, I want to turn my attention away from hardware security features and begin talking about these security features that are built into Windows.

How Secure Are Wireless Networks?

Although I had initially planned to begin talking about operating system level security for wireless networks, I wanted to take a time out and answer a question that many of you have had. I have gotten a lot of e-mail about this series, but the one questions that keeps coming up again and again is whether a wireless network can ever be made to be as secure as a wired network. After all, a hacker does not even have to gain physical access to a facility in order to compromise a wireless network. With the aid of a special antenna, a hacker can attack a wireless network from several miles away.

My own personal opinion is that when properly implemented, a wireless network is actually more secure than the average wired network. The reason for this is that unless an organization uses top notch security there is one major security vulnerability that is inherent to their wired network. Most of the wired networks that I have seen are constructed in such a way that any device that is plugged into the network is presumed to be trustworthy.

While I will concede that an organization should have good enough physical security to prevent anyone from attaching a rogue device to the network, such attacks can and sometimes do occur.

Many years ago I worked for an organization that tended to be very security conscious. I had a standing order to be on the lookout for any security vulnerabilities. If I suspected that a vulnerability existed, I was authorized to do anything necessary to find out whether or not the suspected vulnerability was really an issue.

I already knew that the building had somewhat weak physical security. Because I was often required to come in the middle of the night to perform upgrades or to take care of emergency repairs, I knew that the organization had two nighttime security guards, each one stationed at one of the building’s two entrances. I also knew that every half an hour they would leave their posts to patrol the building.

I wanted to find out how easy it would be for an intruder to sneak into the building and compromise the security of our network. Since I knew the guard’s schedule, I decided to break into the building while the guards were away from their posts patrolling the building. The building had one of those old-school locks that could easily be opened with a credit card, so getting into the building was no problem. Once inside I made my way to an empty area of the building that had previously been occupied by temporary workers. I plugged a laptop into an empty network Jack and began running a packet capture program. I hid the laptop underneath the desk and blocked it from view with a few cardboard boxes that had been lying around. Then I snuck back out of the building.

The next night I broke back into the building, retrieved the laptop, and snuck back out. I had successfully captured an entire day’s worth of network traffic.

After I had some time to go through the packet captures and determine exactly what I had managed to get, I approached my boss and explained that empty network jacks were a major threat to security. Sure, I had administrative credentials for the network and I had 24-hour access to the building, but I didn’t use any of that in my penetration testing. I broke in and sniffed the network in the same way that a criminal might. Keep in mind though, that I had permission to test the network’s security through any means necessary. Unless you get such permission I don’t recommend trying a stunt like this because it could get you fired, and maybe even arrested.

After my little exploit, the administrative staff made the decision to disconnect any unused network jacks in the interest of preventing an attack like the one that I had successfully executed. Even so, that was not a perfect solution to the problem. That’s because each employee who had a computer still had a live network Jack underneath their desk. It would have been simple to unplug someone’s computer and plug-in a rogue device. Granted, such a device might easily be found, but imagine what could have happened if the attack had been carried out by an employee. Someone who works for the company would probably know who is on vacation and how long they were scheduled to be gone. The absent  employee’s network jack would make the perfect target because it would still be live, and there is a good chance that no one would go into the absent employee’s office while they were gone.

As I said earlier, my exploit happened many years ago. Today the effectiveness of such an attack would be somewhat limited because everyone uses network switches rather than using the hubs that were used back then. Even if someone were able to position themselves in a way that made it possible to capture lots of packets, the type of attack that I performed could easily be prevented through the use of IPSec encryption. Using IPSec encryption would not stop someone from plugging a laptop into an empty network Jack and running a packet capture program, but it would make the captured packets essentially unreadable.

Even so, I still tend to think that most wired networks are vulnerable to attack because they assume that any device with physical access to the network is trustworthy. While IPSec encryption might prevent someone from stealing any data, there is absolutely nothing stopping someone from using a rogue device to inject packets onto the network.

I have heard several stories over the years of networks that were compromised by someone who plugged in various types of rogue devices. For example, I recently heard of one network was compromised by someone who plug-in a laptop that was configured to act as a DHCP and DNS server. As legitimate workstations were powered on, some of those workstations were assigned addresses by the rogue DHCP server.  DHCP clients normally try to renew the lease for the IP address that they had previously used, but if that address is unavailable then the client will receive a different address; possibly even from a different DHCP server.

The DHCP server used in the attack instructed any workstation that received a lease from it to use the rogue DNS server rather than a legitimate DNS server. The rogue DNS server had been configured with records pointing to malicious servers on the Internet rather than to legitimate resources.

My point is that if someone can gain physical access to a wired network, then there are a variety of ways in which that network can be compromised. Of course the same can also be said for wireless networks. If an attacker is able to establish a connection to a wireless network then they can begin chipping away at the network’s security. However, that is assuming that the wireless access point is connected directly to the wired network.

Most security conscious organizations don’t do that though. Instead, they attach the wireless access point to a gateway server. This gateway acts very similarly to a VPN server. It serves to authenticate the connection before allowing the user access to the network resources.

Conclusion

As you can see, a properly implemented wireless network is more secure than a typical wired network because devices that attach to the wireless network are not automatically trusted. However, it is worth noting that it is possible to configure a wired network not to assume that any attached devices are trustworthy.

In the next part of this series, I am going to begin talking about how you can use Windows Server 2008 to further secure your wireless network.