Everybody’s going wireless—even those intruders who are after your precious data. Here’s how to stop them.
With the growing popularity of wireless local area networks (WLANs) over the past few years, running at either 2.4GHz (802.1b) 11-22Mbps or the newer 5.0GHz 55Mbps (802.11a), many enterprises both large and small that responded to the initial benefits of wireless networking and jumped on the bandwagon are now realising the many hidden costs associated with this technology; from conducting extra site surveys and network scans to isolating illegally installed wireless access points (rogue WLANs). It is estimated that 30 percent of all companies may have some form of unsecured authorised or unknown unauthorised WLAN product which could be exploited by hackers to gain access to data and bandwidth. There are also costs associated with maintenance, like additional security measures or hardware and staff time needed to monitor activities on the WLAN.
With the increasing frequency in IT reports and mainstream news channels we are encountering the words war-driving, war-chalking, and even war-flying in relation to hackers’ attempts to utilise “free” bandwidth on offer from companies and individuals running less-than-secure WLAN equipment, or worse still, to gain access to confidential company information and data.
“War-dialling” is basically the process of dialling a certain range of telephone numbers with a modem until another computer system with a modem answers and then utilising that system for whatever capabilities/resources it has to offer. War-chalking is the process of marking buildings and footpaths to signify to those in the know that there is a wireless network accessible in that vicinity. Once an area has been war-chalked, anyone with the knowledge and a device capable of accessing any WLAN can come along sit themselves down, match their settings to those marked, and start surfing either the Internet or, with little more effort, the local area network. Unlike fixed wired Local Area Network (LAN) cards and software, wireless LANs generally do not prompt you for user authentication. Initially it was thought that having and matching the Set Service Identifier (SSID) was enough authentication.
There are also several well-documented cases that provide a wealth of information on individuals chartering planes and using readily available tools such as a notebook PC with a WLAN card, a high-gain antenna, and a GPS to fly around cities and map wireless access points (http://arstechnica.com/wankerdesk/3q02/warflying-1.html). And when you have finished reading the US article, if you think it can only happen in America, then think again—the first people to lay claim to war-flying were in Perth, WA. And they picked up many unsecured WLANs, but here is the shocking information: almost half of the access points (APs) were still set with their default factory service set identifiers (SSIDs)—this may indicate to a would-be attacker that the passwords are also set to factory default values. But wait, there’s more, only 102 of them had any form of Wired Equivalent Protocol (WEP) enabled. Even flying over Silicon Valley over 500 APs were detected and only 33 percent had WEP enabled.
Enemies at the gateways
Now that you have rushed to your APs and unplugged them, let’s get back to the issues at hand: WLAN security and WLAN security gateways. It seems now that the early implementers of this wireless technology have been blinded by the advantages that it gives them and in their hurry not to be left behind, did not pause to consider the possible implications of allowing a virtually unsecured connection to their LAN. Most unsecure APs are deployed by information technology (IT) personnel on the open wired LAN side of the organisation’s firewall, thereby ensuring that anyone within range of the AP has full access to the company’s wired network data, bandwidth, and the ports that are available. So much for the whiz-bang, got-to-have-it firewall protecting the network—they might as well place a coffee machine and an open network port on the outside of the building with a “24 hours free Internet access” sign above it.
Before we continue much further let’s dispel the myth that WEP is really as good as it was once claimed to be—as secure as your wired network infrastructure. The changes from 40-bit to 64-bit, 128-bit, and now 256-bit keys have been relatively quick. Needless to say, this protocol is generally accepted as being little more than an irritation for any hacker keen to access the data. And from the information gathered in Perth and San Diego only around 22 percent of companies actually have WEP enabled anyway.
30 percent of all companies may have some form of WLAN product which could be exploited by hackers.
Network MAC address filtering is another way that IT staff can try to overcome the issues of security, however anyone with a valid MAC address for the LAN could simply and easily use MAC address cloning and access the resources.
But amongst all this doom and gloom, several vendors have now decided that to continue providing wireless solutions and equipment or to augment existing wireless installations they need to tackle these wireless security issues first. It is very interesting the range of methods that have been employed. We can say that no two products in this review lineup are the same—each employs different features and security measures, some even employ multiple measures to ensure the securest use of WLAN equipment possible today. And with the majority of them, you don’t need to be an engineer to install and configure it to provide a reasonable amount of security.
As the particular devices submitted for this review are so diverse in their specification, operation, and client market, there is no real benefit in doing a head-to-head performance comparison. We have instead opted to include realistic capabilities for each product in their individual write ups. Furthermore, the bandwidth/capabilities of WLAN equipment is relatively limited—if you have a WLAN running at a full 11Mbps (sending, receiving) and there is only one user connected then they will get the whole 11Mbps; two or more simultaneous users must share that bandwidth. Note that this is not the number of users connected to the WLAN—you could have 50 WLAN users within range of the AP and if none of them are sending or receiving data then very little bandwidth will be utilised; they must be sending or receiving data at the same time to slow the resource down. Also the further a WLAN user gets from the AP, or if there are physical structures in the way, the connection speed drops from 11Mbps to 5.5Mbps to 2Mbps. You need at least 1Mbps for a connection to exist. Apply to this a data encryption protocol and your maximum individual WLAN bandwidth on an 11Mbps WLAN drops to around 4 or 5Mbps due to the overheads required in processing the data (encrypting, sending, receiving, decrypting).
But let’s look at how the units in our comparison performed.
3Com Wireless LAN Access Point 8000
Setup for this unit is slightly different from the other units tested. It receives its power via the LAN cable (power over Ethernet) but it comes with what looks like a normal AC/DC power pack -brick"; however, this pack (in addition to the normal power connections) has two RJ-45 sockets on it: one labelled To Access Point the other To Hub/Switch. This enables you to mount the AP unit wherever you like to take advantage of the widest area of coverage available and you only need to run one CAT 5 cable to it. The only downside is the possible damage one could do to the network if the wrong cable was plugged into the LAN.
We must admit that our first impressions of the 3Com product started off on a bad foot as there was no user/configuration manual included with the product kit, just a mounting template, a quick start guide which takes you through the plugging in of the device, and the warranty booklet. There was a CD included that had some documentation on it, however this was an older version, we found the resources on the 3Com Web site to be more up-to-date for this product.
The bundled software from 3Com on the CD, that apparently allows you to perform WLAN site surveys to determine the best location in which to install the AP unit; unfortunately it failed to launch despite trying to install this software on two systems. There is also a utility included called 3Com wireless infrastructure device manager, which in theory sounds like it would save you a lot of time by automatically detecting your network settings, IP range, and subnet, and basically configuring the 8000's IP properties so that you can access it via a Web browser. Initially the software that was bundled with the AP continually gave the error that no NIC could be detected in the system (despite two NICs being installed in the test system). Upon further investigation at the 3Com Web site it was discovered that this was a known bug with that release of the software and once we had downloaded the updated version and installed and run it, we were given the choice of both NICs, all well and good. However no matter how hard we tried to get this utility to work it simply would not detect our settings, even plugging it in directly to the NIC on the local system with a crossover cable did not do the trick.
The second option available (as with the other devices tested) is to set the IP address on your NIC to the same range as the AP, however upon reading the PDF manual that we downloaded, the IP address range of the 8000 is based on the MAC address of the unit, ie 169.254.xxx.1 where xxx is the decimal conversion of the last two hexadecimal digits on the access point (we are serious here, the PDF even goes to the trouble of telling you how to perform this conversion with the aid of a scientific calculator!). By this stage we were beginning to think that this was getting a little too complex for the relative simplicity of the task at hand. However, we dutifully decided to proceed, converting the MAC address' last two digits and entering that range into our LAN NIC. Suddenly, we could access the AP via the wireless infrastructure device manager and also via the Web browser.
The 3Com Wireless LAN Access Point 8000 provides basic entry-level security at a reasonable price.
We then set about configuring the AP for the testing (after day one, however, we noticed that the AP had dropped out entirely). When we tried to access it either wirelessly or via the LAN we could not communicate with it. Therefore we decided to reset it using the front recessed reset buttonÃ¢â‚¬"without luck. We can only assume that the unit had a hardware failure or was a pre-release unit that has not as yet had all the bugs ironed out of it. Therefore we could not complete the testing.
Issues to consider: The built-in 11Mb Wireless Access Point limits the customer to future possible upgrades, ie speed or distance. Should a client wish to change they will need to replace the whole unit. The removable antenna connections were very flimsy where they screwed/attached to the plastic casing. The Dynamic Security Link may be quite effective but obviously relies on proprietary firmware within the 3Com wireless NIC in the client device and as we were not supplied this for the review we could not evaluate its effectiveness.
Type of client this unit would suit: small to medium enterprise (SME) who have an existing LAN and want to add a small relatively secure W-LAN easily installed with no-frills units (ie, no WAN port, no integrated switch, etc) and is very easily wall or ceiling mounted with only one cable needing to be run to the unit.
Bluesocket's gateway prevents unauthorised access to wired network resources by authenticating each user attempting to access the network via a wireless connection.
Actual installation could not have been easier despite its complex capabilities and specifications. Simply plug in the power, a network cable from the ETH0 port to your wired LAN, and a network cable from the ETH1 port to your wireless LAN equipment, and turn the server on. It takes a few minutes to start up, but once it is going it shows the current IP address on the front panel display. Open an Internet browser on the client system attached to the same LAN to enter the address (providing your client system is on the same IP range/subnet as per the documentation) and you can then reconfigure the server for your needs. Not only can configuration be performed via an Internet browser but the WG1000 also supports SNMP for administration by applications such as HP Openview and Tivoli NetView.
Redundancy and failover is provided for by the WG Mesh facility that will allow you to link multiple WG-1000 units with a single management/configuration, the slave systems will obtain the changed settings from the master in real time.
The WG-1000 also handles network address translation (NAT) and port mapping for your wireless devices that may need to either act as servers for outgoing traffic or utilise applications that require specific ports to be open such as IRC or, dare we say it, network games.
The Bluesocket WG-1000 is a medium- to large-corporation wireless security device that will definitely block most if not all intruders if implemented correctly.
The auto backup feature is also quite handyÃ¢â‚¬"it allows you to automate the backup of the configuration and export it to a File Transfer Protocol (FTP) server. The controls allow you to set daily, weekly, or monthly backups or perform an immediate manual backup to the FTP server.
One of the benefits of authenticating individual users is that you can give them separate permissions to network resources, such as Internet only, and individual server or shared resources only. Once users are authenticated, they are placed in a group. This group can be configured with different access privileges that are then valid for that user sessions. These can include time restrictions, bandwidth limits, and resource limits. For example, if you run a corporation that has R&D, manufacturing, sales, and distribution you could block access to the Internet for the users in the manufacturing and distribution systems but have it available for the sales and R&D.
The Bluesocket WG-1000 is capable of supporting up to 100 users with its maximum encrypted throughput being rated at 30Mbps.
Issues to consider: The WG-1000 is based on an Intel integrated server platform and uses a standard 3.5in IDE hard disk drive and 150w power supply unit, therefore could be subject to normal server maintenance issues such as mechanical drive or fan failures possibly causing downtime.
Best suited for: Large companies with several access points and relatively large volumes of wireless traffic requiring fast efficient and dedicated authentication and encryption with virtually bulletproof security between wireless and wired LAN traffic.
Cranite Software Suite
The Cranite software was relatively easy to installÃ¢â‚¬"it took around 30 to 45 mins. However you need to provide two servers, one to act as a policy server and the other as an access controller. The policy server must have Microsoft Windows 2000 Server with Internet Information Server (IIS) and Internet Access Server (IAS) installed and running. Also the policy server must be a member of the domain or Active Directory if you are using a separate domain controller or Active Directories on your LAN. Alternatively you can also install Active Directory Services on your policy server to function as a standalone directory. Cranite also recommends running RADIUS software if required on the same Windows 2000 server.
The required access controller server hardware is described by Cranite as being a blank generic hardware plat-form; note that two 100Mb NICs need to be installedÃ¢â‚¬"one to provide the link to your LAN the other to your WLAN. It is installed via two CDs and installs and runs a modified version of Linux Red Hat.
The Cranite Software Suite gives you the ability to choose your own hardware platforms.
Configuration of the policy server also is relatively pain free providing you have installed and are running all the required Microsoft Windows 2000 Server options.
As for the configuration of the access controller software one of the more annoying points is that you need to grant your access controller server Internet access while configuring the software simply so that it can attach to Cranite's licensing server and verify the correct license information has been supplied to you. According to the documentation, there is a way Cranite can manually issue you with valid licensing in case you are in an organisation that does not have LAN access to the Internet. They should make this manual licensing applicable for all users or at least make the policy server responsible for completing the registration as this is the server that is more likely to have a valid Internet connection.
The maximum number of wireless APs supported by the Cranite solution is 15.
Issues to consider: Security and administration issues may increase depending on security of underlying server hardware and software (ie, Win 2K server and Linux Redhat). Also, due to the nature of the hardware, it would require more routine maintenance over some of the other products. Providing your client hardware is running Microsoft Windows 98, ME, 2000, or XP you are fine; however, if you have PDAs with wireless cards or are running Mac or Linux OSes then you may run into difficulties.
Best suited for: A mid- to large-sized organisation with existing reliance and preference for Windows 2000 servers and Windows-based clients.
D-Link AirPlus DI-614+
The D-Link DI-614+ is fundamentally an all-in-one WAN/Internet Router, 22Mbps wireless access point, and 4-port 10/100Mb LAN switch. The wireless security features of this unit are basically negligible and could be compared to most other wireless APs currently in the market. This article is about wireless security and wireless security gateways and the D-Link only supports WEP, which as previously mentioned is no longer very secure to a determined hacker.
The D-Link AirPlus would require additional security measures for complete confidence.
From the three vendors that submitted products with integrated APs, the D-Link was the only one to offer up to 22Mbps speeds.
Installing the D-Link was very easy as were all the integrated products that we received. All ports were clearly marked on the unit therefore it was just a matter of plugging in the applicable cables. The D-Link configuration process is handled via a Web browser and going to the default IP address and reconfiguring it to suit your organisation.
Issues to consider: Built in 22Mbps Wireless Access Point limits the customer to future possible upgrades, ie speed or distance. Should a client wish to change to 55Mb WLAN, they would need to replace the whole unit. Due to the inbuilt wireless AP should you need to install the unit on a wall or ceiling to get better wireless coverage then you will need to run network, power, and your broadband modem cables all the way up to the AP or purchase and run separate external antennas and connection cables. Also for a totally integrated solution (LAN, WAN, WLAN etc) there was not enough visual LED information on the front of the unit.
Type of client this unit would suit: This unit would best suit the home user or small office home office (SOHO), due to the limits of the integrated hub, WAN router, and built-in wireless access point.
Installation was virtually identical to the D-Link unit. The auto uplink switching on all eight LAN ports is a handy feature when connecting to extra hubs or an existing LAN.
Configuration was via a Web browser again and provided no major dramas as all features, particularly the security end of the VPN connections, were very straightforward with excellent guidance and help provided via the built-in window of the browser. Something to be aware of is that this is not a normal wireless APÃ¢â‚¬"it is a wireless VPN AP, so you must install client software onto your notebooks in order to even pick up the AP. The unit was not picked up by two of the wireless scanning applications until the client software had been installed, which is great news for people who are perhaps not looking for such a large or complex deployment of wireless equipment on the scale of the Bluesocket or Cranite solutions, however require a very secure wireless environment. Using 3DES IPSec for the WLAN VPN security, the maximum client data throughput is around 4.2Mbps.
The Netgear FVM-318 is an affordable solution aimed at the small business.
Issues to consider: Again the built-in Wireless Virtual Private Network Access Point limits the customer to future possible upgrades. The VPN WLAN restricts maximum wireless users to 30. Administration and configuration of the individual VPN client software can add time to the install also (but the security benefits of dedicated VPN tunnels for the clients far outweigh the risks of not having it).
Type of client this unit would suit: Small offices with fewer than 20 wired LAN users and fewer than 15 wireless LAN users utilising the WLAN within a relatively limited area.