OUTLINE
INTRODUCTION
One of the most
frequently asked questions put to wireless local-area network (WLAN)
vendors is, "what about security?" It is indeed wise for network
administrators to be concerned about security, on any type of network.
Disgruntled former employees, hackers, viruses, Internet-based attacks,
and industrial espionage are an unfortunate fact of life in any form of
networking today. What we will discuss in this white paper are the threats
to the security of any network, how they specifically relate to wireless
LANs, and those elements unique to wireless LAN technology available to
combat these potential threats.
LAN
SECURITY ISSUES - WIRED VS. WIRELESS
It is odd to those
who specialize in wireless LANs that a significant degree of
concern regarding security is often evident among users and managers of
wired LANs. This concern, however, does not usually extend to the wire;
the security of information on the wire is, perhaps incorrectly, assumed
as a given. But as soon as data packets begin traveling through the air, a
high degree of anxiety sets in. After all, it is reasoned, the wired LAN
is inside the company's building, and the data stays on the wire, only
available to authorized users with physical connections to that wire.
In fact, any
network, including a wired LAN, is subject to substantial security risks
and issues. These include:
- Threats to the physical
security of a network
- Unauthorized
access and eavesdropping
- Attacks from
within the network's (authorized) user community
As will be seen
below, a wireless LAN has all of the properties of a wired LAN (except, of
course, the wire itself!), and thus security measures taken to ensure the
integrity and security of data in the wired-LAN environment are also
applicable to wireless LANs as well. The only real difference between a
wired LAN and a wireless LAN is at the physical layer all other network
services (and vulnerabilities) remain. Wireless LANs in fact include an
additional set of unique security elements which are not available in the
wired world, leading to the proposition that wireless LANs are actually more
secure than their wired counterparts - an opinion shared by many industry
analysts and experts.
WHAT
CAN BE DONE?
PHYSICAL SECURITY
- SITE CONTROL AND MANAGEMENT
Given the
obvious reliance of wired LANs on a wired physical plant, anyone gaining
access to that wire can damage the network or compromise the integrity and
security of information on it. Without the proper security measures in
place, even registered users of the network may be able to access
information that would otherwise be restricted. Disgruntled current and
ex-employees have been known to read, distribute, and even alter valuable
company data files. LAN traffic can be intercepted and decoded with
commonly available software tools once one has physical access to the LAN
cabling.
Network
administrators, regardless of whether or not they have wireless segments
on their LANs, need to have the appropriate security products for their
environments, the proper security levels set for their users, and an
on-going process to audit the effectiveness of security policies and
procedures. Physical access to network wires needs to be protected.
Unfortunately, the vast amount of wire inherent in most LANs provides many
points for unauthorized access.
USER
AUTHORIZATION
Another area of
concern for security-conscious network administrators is the growing use
of the Internet. Often, if users from inside can get out to the
Internet, then users from outside can get into a network if proper
precautions haven't been taken. And this applies not only to the Internet,
but also to any remote-LAN-access capabilities that might be installed.
Remote access products that allow traveling sales and marketing people to
dial in for their email, remote offices connected via dial-up lines,
intranets, and "extranets" that connect vendors and customers to
a network can all leave the network vulnerable to hackers, viruses, and
other intruders. Firewall products offering packet filtering, proxy
servers, and user-to-session filtering add additional protection, but
hackers seem to get smarter all the time.
Many products are
available to help network administrators secure their networks from the
above threats. User authentication and authorization is provided by most
network operating systems, and can be enhanced by adding third-party
products.
EAVESDROPPING
COUNTERMEASURES
Perhaps the most
difficult threat to detect is someone just looking at (and likely copying)
raw data on the LAN. Wired networks are particularly vulnerable to
eavesdropping. Most Ethernet adapters on the market today offer a
"promiscuous mode" that, with off-the-shelf software, enables
them to capture every packet on the network. What network administer
doesn't have some kind of "packet sniffer" or LAN-traffic
analyzer for trouble-shooting the network? Inexpensive and readily
available programs let anyone with physical access to the network to read,
capture, and display any type of packet data on the net.
And even wired LANs
have an unintended wireless component. Many types of LAN cabling,
particularly unshielded twisted pair, radiate significant energy. This
leads to the possibility that anyone with a strong motivation, the right
radio equipment, and a good antenna can sit in the parking lot outside a
building and actually intercept wired Ethernet data packets - without
detection.
Data encryption is
the only line of defense against this kind of threat. Unfortunately, a
sense of complacency among network managers has resulted in the limited
use of in-building encryption, often with unforeseen (and unknown)
results.
WIRELESS
SECURITY CONSIDERATIONS
As can be seen from
the above discussion, data security considerations impact the entire
network architecture, and also apply equally to wireless LANs. But the
very different physical layer of wireless LANs actually increases
overall network security, as follows:
SPREAD-SPECTRUM
TECHNOLOGY
Most wireless
LANs use spread-spectrum radio transmission techniques. Spread spectrum
technology was first introduced about 50 years ago by the military with
the objective of improving both message integrity and security.
Spread-spectrum systems are designed to be resistant to noise,
interference, jamming, and unauthorized detection. Spread spectrum
transmitters send their signals out over a broad range of frequencies at
very low power, in contrast to narrowband radios that concentrate all of
their power into a single frequency. There are several ways to implement
spread spectrum transmission, the two most common being direct sequence
(DS) and frequency hopping (FH). (Please reference the Introduction to
Wireless LANs document available on this site at: http://www.wlana.com/intro/introduction/wirels.html
Both techniques
present unintended receivers with a difficult problem. In the case of DS,
an eavesdropper must know the chipping (spreading) code. Someone trying to
intercept an FH transmission must know the hopping pattern, In both cases,
the specific frequency band (or portion thereof, in the case of DS) and
modulation techniques in use must also be known. Radio systems also use a
form of data scrambling for purely technical reasons, which is to assist
in managing the timing and decoding of radio signals. An unintended
receiver would also need to know this scrambling pattern.
Infrared-based
wireless LANs are often used in high-security applications because
infrared signals do not penetrate solid objects, like walls. Thus a
project team could be literally cut off from the outside world and still
have the benefits of a LAN. Some products use narrowband radio, which does
not use spread-spectrum transmission. While this technique certainly
works, it is not as inherently secure as spread-spectrum, and encryption
is therefore a must when this technology is used.
But all of
these techniques allow the use of encryption, and indeed, many wireless
LAN products include encryption features as a standard or optional
component. The IEEE 802.11 standard, for example, includes a security
technique known as "wired equivalent privacy" (WEP), which is
based on the use of 64-bit keys and the popular RC4 encryption algorithm.
Users without knowledge of the current key (password) will find themselves
excluded from network traffic. Encryption, as noted above, is always
advisable on any network, and is certainly easier to implement in
wireless LANs than in their wired counterparts.
STATION
AUTHENTICATION
Most wireless
LAN products have the ability, as an authentication management function,
to specifically authorize or exclude individual wireless stations. Thus an
individual wireless user can be included in a network, or, at any time,
locked out. Users may also need to know a wide variety of information,
including radio domains, channels (specific frequencies or hopping
patterns), subchannels, security IDs, and passwords. Other configuration
information relating to in-building roaming might also need to be known.
Thus network administrators can make unauthorized network access very,
very difficult even for hackers who possess the specific wireless
equipment being used at a given site.
PHYSICAL SECURITY
And,
surprisingly, eliminating significant amounts of wire from a given
installation dramatically reduces the number of places for wiretappers to
gain access to the wired physical plant. While wireless LANs usually
involve the use of a wired backbone network for access-point
interconnection, the amount of wire is quite small, and extra steps can be
taken to safeguard its physical integrity without inordinate cost.
Moreover, since the access points used in wireless LANs function as
bridges, individual wireless users are isolated from perhaps the majority
of LAN traffic, again limiting user access to raw network packets.
CONCLUSION
The diligent
management of security is essential to the operation of local-area
networks, regardless of whether they have wireless segments or not. Itıs
important to point out here that absolute security is an abstract,
theoretical concept - it does not exist anywhere. All LANs are
vulnerable to insider curiosity, outsider attack, and eavesdropping. No
one wants to risk having the LAN data exposed to the casual observer or
open to malicious mischief. Regardless of whether the network is wired or
wireless, steps can and should always be taken to preserve network
security and integrity.
It should be clear
from the discussion above that wireless LANs can take advantage of all of
the security measures available on wired LANs, and then add additional
security features not available in the wired world. The result? That
surprising conclusion that wireless LANs can be, in fact, more
secure than their wired counterparts.
|
E-Mail
Related