Wireless LAN security myths that won't die
It's been two years since I wrote "The six dumbest ways to secure a wireless LAN," and it's probably been one of my more successful blog entries ever, with two flashes on Digg. Since that time, I've written a free electronic book on enterprise wireless LAN security for anyone to use and download from TechRepublic. Since it has been two years, I'm going to update the information with more defined categories and better explain why they're so bad from an ROI (return on investment) and security perspective.
Waste of money, resources, time
- MAC filtering
- Disable DHCP and use Static IP addresses
- Signal suppression with expensive paint or antenna placement
Worse than no wireless security at all
Has nothing to do with security mechanisms
- Just use 802.11a or Bluetooth
The original blog has probably been read by more than a hundred thousand people, but I still can't kill these nasty urban legends because they are so engrained as "best practice." I was shocked and infuriated to find that even some security certifications, like the CISSP, and VISA payment processing compliance requirements, like PCI, are recommending most of these methods as "best practice."
Note that I recently attended the official CISSP boot camp training and in spite of this bad wireless LAN advice, I still recommend the CISSP certification and training. It really taught me how to better communicate to management and business people and align security and IT to the business. I have, however, asked them to fix their small section on wireless LAN best practices, and I hope they fix it.
The most common and misguided arguments I hear against my advice and in favor of implementing this nonsense are:
- What's the harm? It's a layered approach to security.
- It makes us harder to see and hack.
- We're a small company, and we can't afford real security.
The problem with these arguments is that they're based on some fundamentally wrong assumptions and an inadequate knowledge of how wireless LAN security works.
- These aren't layered approaches; they're more like buying overlapping warranty coverage, since any benefit against casual bandwidth thieves is already covered by real security measures. The harm is that people confuse these methods for the real thing, and they spend more money and resources on implementing the wrong security mechanisms and end up skimping on real security.
- They don't make you harder to hack. Kismet, which is a free utility, will reveal so-called hidden SSIDs, MAC addresses, and static IP schemes within seconds of scanning the airwaves, sending all that money and time spent on MAC address and static IP management down the toilet.
- If you have a limited budget with limited IT staff, it's all the more reason to use real wireless LAN security, because you certainly won't be able to afford the complexities of MAC filtering and static IP configuration. True wireless LAN security is far cheaper to implement and maintain.
Rock solid wireless LAN security for the home or small office can be summed up in a single paragraph. All you need to do is use WPA-PSK security with a random alpha-numeric pass-phrase that has a minimum of 10 characters. I estimated that a truly random alpha-numeric 10-character pass-phrase using modern single-core computers will take one thousand PCs working in parallel 500 years to crack. If your hardware doesn't support WPA mode, you can almost always get a free software/firmware upgrade to support it. If WPA mode absolutely can't be supported, you can run WEP (104 bit AKA 128) security, which might take a semi-skilled script kiddy using two PCs in an active attack configuration 10 minutes to break. WEP shouldn't ever be considered effective wireless LAN security, but it's hundreds of times harder to break than any of the myths. WEP can be considered an actual deterrent when nothing better like WPA is available, whereas these myths aren't even worthy of the deterrent title. The ROI for any of the first three wireless LAN security myths is essentially zero.
[Next page - Worse than no wireless security at all]
Worse than no wireless security at all
I've added a second subcategory of "worse than no wireless security at all." For this category, I've listed Cisco's proprietary LEAP and EAP-FAST protocols, along with SSID beacon suppression. Not only are these mechanisms ineffective, they're even harmful. LEAP uses unencrypted hash-based authentication, which relies strictly on password complexity. The problem is that 99% of all human-generated passwords can be cracked within hours or days. That means once a hacker breaks into a wireless LAN network by cracking LEAP, they're not only inside your network but they've got your passwords to freely access your data. If a domain admin were to use LEAP, the keys to the kingdom are handed over to the attacker. Cisco co-created a superior authentication mechanism called PEAP, which is standardized. But still pushes its customers toward the proprietary EAP-FAST protocol, which was created as a direct replacement for LEAP as a way to lock you in to Cisco hardware. EAP-FAST is only slightly less dangerous than LEAP, but its default and most commonly used configuration is just as dangerous as LEAP because it relies on anonymous server certificates that anyone can spoof.
I've added SSID beacon suppression to the list of "worse than no wireless security at all" because it forces you to spew your wireless LAN configuration from your laptop everywhere you go. Security researcher Joshua Wright recently highlighted these dangers in this article. The problem with turning off SSID beaconing on your access point is that not only is it worthless, since the SSIDs are still easily detectible over the air, but it also forces your laptops to probe for the SSID. That means that all of your laptops will run around the world broadcasting your SSID, which opens them up to data seepage or even evil twin attacks. If you forget this nonsense about SSID beacon suppression on the access point, you can turn off SSID probing on your notebooks, making them safer to operate. You can do this with the latest Windows XP SP2 Wireless Client Update, and Windows Vista has this feature built in. You simply need to make sure that you don't enable "Connect even if the network is not broadcasting." The default behavior for SSID probing in Windows Vista is off, which is the safe setting.
As for using 802.11a or Bluetooth, there's nothing wrong with those technologies, except that they shouldn't be confused with security mechanisms. They're merely alternative data transport mechanisms, and you need to apply the same wireless LAN security principles. Bluetooth shouldn't even be considered a wireless LAN technology, and the only reason I mentioned it is that some so-called experts were touting it as such.
One other solution mentioned for wireless LAN security is the use of VPN, which is an outdated and cumbersome method. The use of VPN for wireless LAN security isn't fundamentally dangerous (if you avoid using PPTP), but it does leave the data link layer wide open, which lets a hacker do nasty things like DHCP poisoning or possibly other Layer 2 attacks. At the very least, it allows the attacker to be on the same subnet as your legit users, which means they get to probe for missing personal firewalls or holes. At worst, the attacker can try to MAC bomb the CAM table or try to do a denial of service attack with spanning tree protocol BPDU VLAN resets if the access point passes on these attacks. Most people just stick their access point right into their Cisco switches with no VTP domain password, along with automatic trunking turned on with no consideration for Layer 2 security. My recommendation is that organizations focus on data link layer solutions like WPA, which offer cheaper and more effective protection.
The bottom line is that these six security myths should be permanently labeled worthless at best or dangerous at worst. For businesses and organizations, I would highly recommend my ultimate guide to enterprise wireless LAN security. For small businesses and homes, all you need to do is use WPA-PSK security with a random alpha-numeric pass-phrase that's a minimum of 10 characters long. If WPA security isn't available to you, at least run WEP as a 10-minute deterrence mechanism.