TUCoPS :: Networks :: Wireless :: wlans.faq

Wireless Security FAQ

<html>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Wireless LAN 802.11b Security FAQ</title>
<style>
<!--
h3           {  }
-->
</style>
</head>
<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#800080">
<body>

<p>Wireless LAN Security FAQ
</p>
<p>By
Christopher W. Klaus of Internet Security Systems (ISS). Please send
corrections, additions, and new questions to <a href="mailto:cklaus@iss.net">cwkpublic@iss.net</a>.

</p>
<p>Version 1.5 - Last Updated April 21st 2002</p>
<hr>
<h1>Contents</span>
</h1>
<ul>
  <li>
    <p><a href="#Where do I get the latest version of this Wireless LAN Security FAQ?">[0]
    Where do I get the latest version of this Wireless LAN Security FAQ?</a>
    </li>
  <li>
    <p><a href="#[1] What is the overview of Wireless LAN 802.11 technology?">[1]
    What is the overview of Wireless LAN 802.11 technology?</a>
    
    <ul>
      <li>
        <a href="#[1.1] When will 802.11a arrive and how will the security be different than 802.11b?">[1.1]
        When will 802.11a arrive and how will the security be different than
        802.11b?</a></li>
      <li>
        <a href="#[1.2] What is an Access Point?">[1.2]
        What is an Access Point?</a></li>
      <li>
        <a href="#[1.3] How much does the equipment for wireless 802.11b cost?">[1.3]
        How much does the equipment for wireless 802.11b cost?</a></li>
      <li>
        <a href="#[1.4] Are companies the only wireless targets by attackers?">[1.4]
        Are companies the only wireless targets by attackers?</a></li>
      <li>
        <a href="#[1.5] Where can you find wireless 802.11 networks?">[1.5]
        Where can you find wireless 802.11 networks?</a></li>
      <li>
        <a href="#[1.6] How does the antenna affect wireless LAN security?">[1.6]
        How does the antenna affect wireless LAN security?</a><ul>
      <li><a href="#[1.6.1] How do I build a cheap and effective antenna">
      [1.6.1] How do I build a cheap and effective antenna? </a></li>
    </ul>
      </li>
      <li>
        <a href="#[1.7] Can you spot a laptop with wireless 802.11 capability by looking for the antenna?">[1.7]
        Can you spot a laptop with wireless 802.11 capability by looking for the
        antenna?</a></li>
    </ul>
  </li>
  <li>
    <p><a href="#[2] What are the major security risks to 802.11b?">[2]
    What are the major security risks to 802.11b?
    </a>
    
    <ul>
      <li>
        <p><a href="#[2.1] What are Insertion Attacks?">[2.1]
        What are Insertion Attacks?</a>
        <ul>
          <li>
            <a href="#[2.1.1] Plug-in Unauthorized Clients">[2.1.1]Plug-in
            Unauthorized Clients</a></li>
          <li>
            <a href="#[2.1.2] Plug-in Unauthorized Renegade Base Station">[2.1.2]Plug-In
            Unauthorized Renegade Base Stations</a></li>
        </ul>
      </li>
      <li>
        <p><a href="#[2.2] What are Interception and monitoring wireless traffic attacks?">[2.2]
        What are Interception and monitoring wireless traffic attacks?</a>
        <ul>
          <li>
            <a href="#[2.2.1] Wireless Sniffer">[2.2.1]
            Wireless Sniffer</a></li>
          <li>
            <a href="#[2.2.2] Hijacking the session">[2.2.2]
            Hijacking the session</a></li>
          <li>
            <a href="#[2.2.3]Broadcast Monitoring">[2.2.3]
            Broadcast Monitoring</a></li>
          <li>
            <a href="#[2.2.4]ArpSpoof Monitoring and Hijacking">[2.2.4]
            ArpSpoof Monitoring and Hijacking</a>
            <ul>
              <li>
                <a href="#[2.2.4.1]Hijacking SSL (Secure Socket Layer) and SSH (Secure Shell) connections.">[2.2.4.1]
                Hijacking SSL (Secure Socket Layer) and SSH (Secure Shell)
                connections</a></li>
            </ul>
          </li>
          <li>
            <a href="#[2.2.5] BaseStation Clone (Evil Twin) intercept traffic">[2.2.5]
            BaseStation Clone (Evil Twin) intercept traffic</a></li>
        </ul>
      </li>
      <li>
        <p><a href="#[2.3] What are AP Misconfigurations?">[2.3]
        What are AP and Client Misconfigurations?</a>

        <ul>
          <li>
            <a href="#[2.3.1] Server Set ID (SSID)">[2.3.1]
            Server Set ID (SSID)</a>
            <ul>
              <li>
                <a href="#[2.3.1.1] What are the default SSID's?">[2.3.1.1]
                What are the default SSID's?</a></li>
            </ul>
          </li>
          <li>
            <a href="#[2.3.2]What is Secure Access mode?">[2.3.2]
            What is Secure Access Mode?</a></li>
          <li>
            <p><a href="#[2.3.3] Bruteforce Base Station SSID">[2.3.3]
            Bruteforce Base Station SSID</a></li>
          <li>
            <a href="#[2.3.4] Can the SSID be encrypted?">[2.3.4]
            Can the SSID be encrypted?</a></li>
          <li>
            <a href="#[2.3.5] By turning off the broadcast of SSID, can someone still sniff the SSID?">[2.3.5]
            By turning off the broadcast of SSID, can someone still sniff the
            SSID?</a></li>
          <li>
            <a href="#[2.3.6] Wired Equivalent Privacy (WEP)">[2.3.6]
            Wired Equivalent Privacy (WEP)</a>
            <ul>
              <li>
                <a href="#[2.3.6.1] Attacks against WEP">[2.3.6.1]
                Attacks against WEP</a></li>
              <li>
                <a href="#[2.3.6.2] Default WEP Keys">[2.3.6.2]
                Default WEP Keys</a></li>
            </ul>
          </li>
          <li>
            <a href="#[2.3.7] SNMP community words">[2.3.7]
            SNMP community words</a><ul>
          <li><a href="#[2.3.7.1] SNMP vulnerabilities">[2.3.7.1] SNMP 
          Vulnerabilities</a></li>
        </ul>
          </li>
          <li>
            <a href="#[2.3.8] Configuration Interfaces">[2.3.8]
            Configuration Interfaces</a></li>
          <li>
            <a href="#[2.3.9] Client side security risk">[2.3.9]
            Client side security risk</a></li>
          <li>
            <a href="#[2.3.10] Installation Risk">[2.3.10]
            Installation Risk</a></li>
        </ul>
      </li>
      <li>
        <p><a href="#[2.4] Jamming">[2.4]
        What is Jamming?</a>
        <ul>
          <li>
            <a href="#[2.4.1] 2.4 GHz Interfering Technology">[2.4.1]
            2.4 GHz Interfering Technology</a></li>
        </ul>
      </li>
      <li>
        <p><a href="#[2.5] Client to Client Attacks">[2.5]
        What are Client to Client Attacks?</a>
        <ul>
          <li>
            <a href="#[2.5.1] Filesharing and other TCP/IP service attacks">[2.5.1]
            Filesharing and other TCP/IP service attacks</a></li>
          <li>
            <a href="#[2.5.2] DOS(Denial of Service)">[2.5.2]
            DOS (Denial of Service)</a></li>
          <li>
            <a href="#[2.5.3] Hybrid Threats">[2.5.3] Hybrid Threats</a></li>
        </ul>
      </li>
      <li>
        <a href="#[2.6] War Driving Access Point Maps">[2.6]
        War Driving Access Point Maps</a></li>
      <li>
        <a href="#[2.7] Parasitic Grids">[2.7] Parasitic Grids</a></li>
    </ul>
  </li>
  <li>
    <p><a href="#[3] What are solutions to minimizing WLAN security risk?">[3]
    What
    are solutions to minimizing WLAN security risk?
    </a>
    
    <ul>
      <li>
        <a href="#[3.1] Wireless Security Policy and Architecture Design">[3.1]
        Wireless Security Policy and Architecture Design</a></li>
      <li>
        <a href="#[3.2] Treat BaseStations as Untrusted">[3.2]
        Treat BaseStations as Untrusted</a></li>
      <li>
        <a href="#[3.3] Base Station Configuration Policy">[3.3]
        Base Station Configuration Policy</a><ul>
      <li><a href="#[3.3.1] 802.1X Security">[3.3.1] 802.1X Security</a></li>
    </ul>
      </li>
      <li>
        <a href="#[3.4] Base Station Discovery">[3.4]
        Base Station Discovery</a></li>
      <li>
        <a href="#[3.5] Base Station Security Assessments">[3.5]
        Base Station Security Assessments</a></li>
      <li>
        <a href="#[3.6] Wireless Client Protection">[3.6]
        Wireless Client Protection</a></li>
    </ul>
  </li>
  <li><p><a href="#[4] Who is making 802.11 Security Solutions?">[4]
    Who is making 802.11 Security Solutions?</a>
    
    <ul>
      <li>
        <a href="#[4.1] 802.11 gateway infrastructure">[4.1]
        802.11 Gateway Infrastructure</a></li>
      <li>
        <a href="#[4.2] 802.11 Security Analysis Tools">[4.2]
        802.11 Security Analysis Tools</a></li>
    </ul>
  </li>
  <li><a href="#[5]  About Internet Security System’s Wireless 802.11b Solution">[5]
    About Internet Security System's Wireless 802.11b Solution</a></li>
</ul>
<hr>
<h2>Recent Updates
</h2>
<p>Version 1.5</p>
<ul>
  <li>Added all of Netgear's default WEP keys.</li>
  <li>Added Pringles Can and Waveguide Antenna Info.</li>
  <li>Added hybrid threats, next-gen virus/worm spread by wireless.</li>
  <li>Added Parasitic Grids. Free anonymous access for intruders.</li>
  <li>Added SNMP vulnerabilities.&nbsp; </li>
  <li>Added 802.1X Security, and its flaws.</li>
  <li>Added MiniStumbler, Wireless Scanner, BlackICE PC Protection.</li>
  <li>Added info on Broadcast pings.</li>
</ul>
<p>Version 1.3
</p>
<ul>
  <li>
    Added Section 1.7 regarding internal antenna.</li>
  <li>
    Added link to Cigital regarding ArpSpoofing. Cigital
    put together a nice diagram of the attack.</li>
  <li>
    Added Default WEP key for NetGear AP.</li>
  <li>
    Added link to BSD version of AirSnort.</li>
</ul>
<p>Version
1.2

</p>
<ul>
  <li>
    <p>Added where this WLAN Security FAQ can be found.</li>
  <li>
    Cleaned up the formatting</li>
  <li>
    Added better indexing, added hyperlinks between index and content</li>
  <li>
    Added
    link to article on wireless LAN antennas</li>
</ul>
<p><p>Version
1.1</p>
<ul>
  <li>
    <p>Added
NetStumbler, WEPCrack tools, Added WEP insecurity paper
</li>
  <li>
    <p>Added
Ecutel, BlueSocket, and NetMotion as WLAN Sec. Products</li>
  <li>
    <p>Updated
Accuracy of WEP description and made it clear that SSID not being encrypted.
</li>
  <li>
    <p>Added
Broadcast of SSID turned off can still be circumvented.
</li>
  <li>
    <p>Added
Addtron’s default SSID, a popular AP
</li>
  <li>
    <p>Added
War Driving AP maps.
</li>
  <li>
    <p>Added
802.11 ArpSpoof, a technique used by ISS X-Force Consulting.
</li>
  <li>
    <p>Added
hijacking SSH and SSL connections via wireless.
</li>
  <li>
    <p>Added
2 X-Force Advisories on Wireless 802.11 flaws

    </li>
</ul>
<p>Version
1.0

</p>
<ul>
  <li>
    <p>First draft
</li>
</ul>
<hr>
<h1><b>[0]
<a name="Where do I get the latest version of this Wireless LAN Security FAQ?">Where do I get the latest version of this Wireless LAN
Security FAQ?
 </a>

</b></h1>
<ul>
  <li>
    <p>The
most current version is on the Web at <a href="http://www.iss.net/wireless">http://www.iss.net/wireless</a>

</li>
  <li>
    <p>It
will be regularly posted to <a href="mailto:issforum@iss.net">issforum@iss.net</a>
(<a href="http://www.iss.net/maillists">http://www.iss.net/maillists</a>).
</li>
</ul>
<ul>
  <li>
    <p>It
will be posted to the following Usenet newsgroups:

</li>
  <li>
    <p>comp.security.misc,comp.security.firewalls,comp.security.unix,</li>
  <li>
    <p>comp.std.wireless,comp.dcom.sys.cisco,comp.dcom.sys.nortel,</li>
  <li>
    <p>comp.dcom.telecom
</li>
</ul>
<h1><a name="[1] What is the overview of Wireless LAN 802.11 technology?">[1]
What
is the overview of Wireless LAN 802.11 technology?</a></h1>
<p>Wireless
LAN technology standard 802.11b has the strongest momentum to becoming the main
standard for corporate internal wireless LAN networks.
The bandwidth of 802.11b is 11 mbits and operates at 2.4 GHz Frequency.
The successor of this current 802.11b standard is 802.11a and it is
designed to be faster speed and operate at a different frequency.
While 802.11a standard and the technology behind it will be in the near
distant future, 802.11b is here today and many companies and even individuals
are deploying and using it now. 
</p>
<p>As
more wireless technology is developed and implemented, the complexity of the
types of attacks will increase, but these appear the standard main methods used
to break and attack wireless systems. These
attacks may be very similar against other wireless type technologies and is not
unique to 802.11b. By understanding
these risks and how to develop security solution for 802.11b, this will be a
good stepping-stone for providing a good secure solution to any wireless
solution.
</p>
<h2><a name="[1.1] When will 802.11a arrive and how will the security be different than 802.11b?">[1.1]
When will 802.11a arrive and how will the security be different than 802.11b?</a></h2>
<p>Most
manufacturers of wireless technologies are claiming to come out with 802.11a
technology either late 2001 or beginning of 2002. The specifications
for the protocols of 802.11a are very similar to 802.11b, therefore many of the
security risks are shared for both 802.11a and 802.11b. Many
of the security issues around 802.11b will continue to be an issue with 802.11a,
therefore by understanding current issues will help organizations deal with
future issues as well. 
</p>
<h2><a name="[1.2] What is an Access Point?">[1.2]
What is an Access Point?</a></h2>
<p>The
AP (access point also known as a base station) is the wireless server that
connects clients to the internal network. Base
stations typically act as a bridge for the clients.
There is an IP address for management configuration of the base station.
The base stations typically have an SNMP agent for remote management.

</p>
<h2><a name="[1.3] How much does the equipment for wireless 802.11b cost?">[1.3]
How much does the equipment for wireless 802.11b cost?</a>
</h2>
<p>Base stations have become relatively
inexpensive, approximately under $300US. The 802.11 client cards for PDAs,
laptops, and desktops are approximately under $100US.
Because of inexpensive equipment to get into wireless, attackers can get
easy access to the tools necessary to apply the attack.
Because of the inexpensive price, within many companies employees can
purchase wireless equipment without approval and deploy this in a rogue fashion,
creating additional risk.
</p>
<h2><a name="[1.4] Are companies the only wireless targets by attackers?">[1.4]
Are companies the only wireless targets by attackers?</a>
</h2>
<p>While this FAQ focuses on the risk
issues from a corporate network perspective, these same issues apply to home
networks and telecommuters that are using wireless.
As the corporate networks are allowing in remote users, these remote
users may be using wireless at their end-point to connect in.<span style="mso-spacerun:
yes"> In this case, even if wireless capabilities have not been
installed on the corporate network, they may still be affected by the risk that
their remote employees are using wireless at home or on the road.

</p>
<h2><a name="[1.5] Where can you find wireless 802.11 networks?">[1.5]
Where can you find wireless 802.11 networks?</a></h2>
<p>Airports, hotels, and even coffee shops
like Starbucks are deploying 802.11 networks so people can wirelessly browse the
Internet with their laptops. As
these types of networks increase, this will create additional security risk for
the remote user if not properly protected.

</p>
<h2><a name="[1.6] How does the antenna affect wireless LAN security?">[1.6]
How does the antenna affect wireless LAN security?</a></h2>
<p>Because
the intruder must be within range of the signal, a properly selected and
positioned antenna within a building can minimize how far the signal can reach
and therefore reduce leakage and interception. For selecting different
antenna designs for appropriate signal reception, here is an article on wireless
antennas:</p>
<ul>
  <li>
    <p><span class="articletitle">Antennas
    Enhance WLAN Security in Byte Magazine, October 2001.</li>
  <li>
    <p><a href="http://www.byte.com/documents/s=1422/byt20010926s0002/1001_marshall.html">http://www.byte.com/documents/s=1422/byt20010926s0002/1001_marshall.html</a></li>
</ul>
    <p><font size="4">
    <a name="[1.6.1] How do I build a cheap and effective antenna">[1.6.1] How 
    do I build a cheap and effective antenna?</a></font>
    <p>There are many people 
who are building cheap antennas with various cheap cans bought at the grocery 
store including the Pringles can and beef stew cans.&nbsp; The waveguide cans 
appear to be significantly stronger in strength.&nbsp; Here is a good guide to 
building Pringles and waveguide antennas:<ul>
  <li>802.11b Homebrew Antenna Shootout</li>
  <li><a href="http://www.turnpoint.net/wireless/has.html">http://www.turnpoint.net/wireless/has.html</a></li>
  </ul>
    <p>&nbsp;<h2><a name="[1.7] Can you spot a laptop with wireless 802.11 capability by looking for the antenna?">[1.7]
Can you spot a laptop with wireless 802.11 capability by looking for the
antenna?</a></h2>
<p>Many
major computer manufacturers are now supporting built in
wireless 802.11 capability and many new laptops are building an internal
wireless antenna. The physical antenna will not be easy to spot on all
laptops.</p>
<h1><a name="[2] What are the major security risks to 802.11b?">[2]
What are the major security risks to 802.11b?

    </a></h1>
<p>Here
is the list of main known security risks with 802.11b:</p>
<ul>
  <li>
    <p>Insertion Attacks 

</li>
  <li>
    <p>Interception and monitoring wireless traffic

</li>
  <li>
    <p>Misconfiguration

</li>
  <li>
    <p>Jamming

</li>
  <li>
    <p>Client to Client Attacks

</li>
</ul>
<h2><a name="[2.1] What are Insertion Attacks?">[2.1]
What are Insertion
Attacks?
</a></h2>
<p>The insertion attacks are based on
placing unauthorized devices on the wireless network without going through a
security process and review. 

</p>
<h3><a name="[2.1.1] Plug-in Unauthorized Clients">[2.1.1]
Plug-in
Unauthorized Clients</a>
</h3>
<p>An
attacker tries to connect their wireless client, typically a laptop or PDA, to a
basestation without authorization. Base
stations can be configured to require a password before clients can access.<span style="mso-spacerun:
yes"> If there is no password, an intruder can connect to the
internal network by connecting a client to the base station.

</p>
<h3><a name="[2.1.2] Plug-in Unauthorized Renegade Base Station">[2.1.2]
Plug-in
Unauthorized Renegade Base Station</a>
</h3>
<p>Many companies may not be aware that
internal employees have deployed wireless capabilities on their network.<span style="mso-spacerun:
yes"> An internal employee wanting to add their own wireless
capabilities to the network plugs in their own base station into the wired
intranet. This is a risk if the
base station has not been properly secured.
This could lead to the previously described attack of unauthorized
clients then gaining access to unauthorized base stations, allowing intruders
into the internal network. Typically,
companies may need a policy against allowing employees to add wireless base
stations onto the corporate network without requesting permission and going
through a security process. A
sophisticated intruder may physical place a base station on the victims’
network to allow them remote access via wireless.


</p>
<h2><a name="[2.2] What are Interception and monitoring wireless traffic attacks?">[2.2]
What are Interception
and monitoring wireless traffic attacks?
 </a>

</h2>
<p>These interception and monitoring
attacks are popular on broadcast wired networks like Ethernet.
The same principles apply to wireless.

</p>
<h3><a name="[2.2.1] Wireless Sniffer">[2.2.1]
Wireless
Sniffer
 </a>

</h3>
<p>An attacker can sniff and capture
legitimate traffic. Many of the
sniffer tools for Ethernet are based on capturing the first part of the
connection session, where the data would typically include the username and
password.<span style="mso-spacerun:
yes"> An intruder can masquerade as that user by using this
captured information. An intruder
who monitors the wireless network can apply this same attack principle on the
wireless.

</p>
<p><p>One
of the big differences between wireless sniffer attacks and wired sniffer
attacks is that a wired sniffer attack is achieved by remotely placing a sniffer
program on a compromised server and monitor the local network segment.
This sniffer based attack can happen from anywhere in the world.
Wireless sniffing requires the attacker to typically be within range of
the wireless traffic. This is
usually around 300 feet range, but wireless equipment keeps strengthening the
signal and pushing this range further out.


</p>
<h3><a name="[2.2.2] Hijacking the session">[2.2.2]
Hijacking the session </a>
</h3>
<p>If
an attacker can sniff the wireless traffic, it is possible to inject false
traffic into a connection. An
attacker may be able to issue commands on behalf of a legitimate user by
injecting traffic and hijacking their victim’s session.


</p>
<h3><a name="[2.2.3]Broadcast Monitoring">[2.2.3]</a>
<a name="[2.2.3]Broadcast Monitoring">Broadcast Monitoring
 </a>

</h3>
<p>If
a base station is connected to a hub rather than a switch, any network traffic
across that hub can be potentially broadcasted out over the wireless network.
Because the Ethernet hub broadcasts all data packets to all connected
devices including the wireless base station, an attacker can monitor sensitive
data going over wireless not even intended for any wireless clients.


</p>
<h3><a name="[2.2.4]ArpSpoof Monitoring and Hijacking">[2.2.4]
ArpSpoof Monitoring and Hijacking
 </a>

</h3>
<p>Normally,
in regards to an AP, the network data traffic on the backbone of a subnet would
be treated similarly like a network switch, thus traffic not intended for any
wireless client would not be sent over the airwaves.
This could reduce significantly the amount of sensitive data over the
wireless network. 

</p>
<p>An
attacker using the arpspoof technique can trick the network into passing
sensitive data from the backbone of the subnet and route it through the
attacker’s wireless client. This
provides the attacker both access to sensitive data that normally would not be
sent over wireless and an opportunity to hijack TCP sessions. Dsniff is a
popular tool that enables arpspoofing and is available at:
<a href="http://www.monkey.org/~dugsong/dsniff/">http://www.monkey.org/~dugsong/dsniff/</a>
<p>and
Cigital has a diagram depicting the attack available at: <a href="http://www.cigital.com/news/wireless/arppoison.gif">http://www.cigital.com/news/wireless/arppoison.gif</a></p>
<p>[<a name="[2.2.4.1]Hijacking SSL (Secure Socket Layer) and SSH (Secure Shell) connections.">2.2.4.1]Hijacking
SSL (Secure Socket Layer) and SSH (Secure Shell) connections.</a>


</p>
<p>By
using arpspoofing technique, an attacker can hijack simple TCP connections.
There are tools that allow for hijacking SSL and SSH connections.
Typically, when SSL and SSH connections get hijacked, the only alert to
the end-user is a warning that the credentials of the host and certificate have
changed and ask if you trust the new ones.
Many users simply accept the new credentials, thus allowing an attacker
to succeed. A reasonable interim measure to prevent the attack is to have users
enable SSH's StrictHostKeyChecking option, and to distribute server key signatures to mobile clients.


</p>
<p>The
Dsniff FAQ explains how to hijack in detail SSH and HTTPS connections: <a href="http://www.monkey.org/~dugsong/dsniff/faq.html">http://www.monkey.org/~dugsong/dsniff/faq.html</a>
</p>
<h3><a name="[2.2.5] BaseStation Clone (Evil Twin) intercept traffic">[2.2.5]
BaseStation
Clone (Evil Twin) intercept traffic
 </a>

</h3>
<p>An attacker can trick legitimate
wireless clients to connect to the attacker’s honeypot network by placing an
unauthorized base station with a stronger signal within close proximity of the
wireless clients that mimic a legitimate base station.
This may cause unaware users to attempt to log into the attacker’s
honeypot servers. With false login
prompts, the user unknowingly can give away sensitive data like passwords.


</p>
<h2><a name="[2.3] What are AP Misconfigurations?">[2.3]
What are AP and Client Misconfigurations?</a>
</h2>
<p>By
default, all the base stations analyzed out of the box from the factory were
configured in the least secure mode possible.
Adding the proper security configuration was left up as an exercise to
the administrator to lock down. Unless
the administrator of the base station understands the security risks, most of
the base stations will remain at a high risk level.
The analysis of three base station models by the leading 802.11 vendors
lead to many configuration issues that should be audited and assessed by the
organization. The top three base
station vendors analyzed were Cisco, Lucent, and 3Com.
The security risks identified may change in newer versions of the 802.11
solution as it is evolving rapidly. Each
vendor had different implementation security risks, but the underlying issues
are the same and can be applied to other vendors not listed here.

</p>
<h3><a name="[2.3.1] Server Set ID (SSID)">[2.3.1]
Server
Set ID (SSID)</a>
</h3>
<p>SSID
is a configurable identification that allows clients to communicate to the
appropriate base station. With
proper configuration, only clients that are configured with the same SSID can
communicate with base stations having the same SSID.
SSID from a security point of view acts as a simple single shared
password between base stations and clients.


</p>
<h4><a name="[2.3.1.1] What are the default SSID's?">[2.3.1.1]
What are the default SSID's?</a>
</h4>
<p>Each
of the base station models came with default SSIDs.
Attackers can use these default SSIDs to attempt to penetrate base
stations that are still in their default configuration.
Here are some default SSIDs:
</p>
<ul>
  <li>“tsunami”
- Cisco</li>
  <li>“101”
– 3Com

  </li>
  <li>“RoamAbout
Default Network Name” - Lucent/Cabletron 

  </li>
  <li>“Default SSID&quot;</li>
  <li>“Compaq”
- Compaq
</li>
  <li>“WLAN”
– Addtron, a popular AP

  </li>
  <li>“intel”
- Intel

  </li>
  <li>“linksys”
– Linksys

  </li>
  <li>“Wireless”
    

</li>
</ul>
<h3><a name="[2.3.2]What is Secure Access mode?">[2.3.2]What
is Secure Access mode?</a>
</h3>
<p>Lucent
has Secure Access mode. This
configuration option requires the SSID of both client and base station to match.
By default this security option is turned off.
In non-secure access mode, clients can connect to the base station using
the configured SSID, a blank SSID, and the SSID configured as “any”.


</p>
<h3><a name="[2.3.3] Bruteforce Base Station SSID">[2.3.3]
Bruteforce
Base Station SSID</a>
</h3>
<p>Most
base stations today are configured with a server set id (SSID) that acts as a
single key or password that is shared with all connecting wireless clients.<span style="mso-spacerun:
yes"> 

</p>
<p>An
attacker can try to guess the base station SSID by attempting to use a
bruteforce dictionary attack by trying every possible password.
Most companies and people configure most passwords to be simple to
remember and therefore easy to guess. Once the intruder guesses the SSID, they
can gain access through the base station.

</p>
<p>The
SSID could be obtained through one of the wireless clients becoming compromised
or an employee resigns knowing the key, there is risk that anyone with the SSID
could still connect to the base station until the SSID is changed.
If there are many wireless users and clients, it can become problematic
to scale this security solution if the SSID needs to be changed frequently and
all clients and base stations need to reconfigured with an updated shared single
SSID each time.

</p>
<h3><a name="[2.3.4] Can the SSID be encrypted?">[2.3.4]
Can the SSID be encrypted?</a>
</h3>
<p>WEP,
the encryption standard for 802.11, only encrypts the data packets not the
802.11 management packets and the SSID is in the beacon and probe management
messages. The SSID is not encrypted
if WEP is turned on. The SSID goes
over the air in clear text. This
makes obtaining the SSID easy by sniffing 802.11 wireless traffic.


</p>
<h3><a name="[2.3.5] By turning off the broadcast of SSID, can someone still sniff the SSID?">[2.3.5]
By turning off the broadcast of SSID, can someone still sniff the SSID?</a>
</h3>
<p>Many
APs by default have broadcasting the SSID turned on.
Sniffers typically will find the SSID in the broadcast beacon packets.
Turning off the broadcast of SSID in the beacon message (a common
practice) does not prevent getting the SSID; since the SSID is sent in the clear
in the probe message when a client associates to an AP, a sniffer just has to
wait for a valid user to associate to the network to see the SSID.

</p>
<h3><a name="[2.3.6] Wired Equivalent Privacy (WEP)">[2.3.6]
Wired
Equivalent Privacy (WEP)</a><a name="[2.3.6] Wired Equivalent Privacy (WEP)">
</a>
</h3>
<p>WEP
can be typically configured in 3 possible modes:

</p>
<ul>
  <li>
    <p>No encryption mode

</li>
  <li>
    <p>40 bit encryption

</li>
  <li>
    <p>128 bit encryption

</li>
</ul>
<p>WEP,
by default out of the box, all base station models analyzed have WEP turned
off. 40 bit encryption versus 128
bit encryption provides no added protection against the known flaw in WEP.

</p>
<p>Most
public wireless LAN access points (i.e., airports, hotels, etc) do not enable
WEP. Based on statistical analysis in regions like New York, San
Francisco, London, Atlanta, <p>most
companies do not turn on WEP security on their APs. If the AP does not
enable WEP, the wireless clients can not use the WEP
encryption.</p>
<p>In
some base stations, it is optional whether the encryption is enforced.
The WEP encrypted may be turned on, but if it is not enforced, a client
without encryption with the proper SSID can still access that base station.

</p>
<h4><a name="[2.3.6.1] Attacks against WEP">[2.3.6.1]
Attacks
against WEP
 </a>

</h4>
<p>802.11b
standard uses encryption called WEP (Wired Equivalent Privacy).<span style="mso-spacerun:
yes"> It has some known weaknesses in how the encryption is
implemented. 

</p>
<p>Papers
on WEP Insecurities

</p>
<ul>
  <li>
    <p>Researchers at Berkeley have documented these findings at:

</li>
  <li>
    <p><span style="mso-spacerun:
yes"> <a href="http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html">http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html</a> 

</li>
  <li>
    <p>Using the Fluhrer, Mantin, and Shamir Attack to Break WEP

</li>
  <li>
    <p><span style="mso-spacerun:
yes"> <a href="http://www.cs.rice.edu/~astubble/wep/wep_attack.html">http://www.cs.rice.edu/~astubble/wep/wep_attack.html
    </a>

</li>
</ul>
<p>Using
WEP is better than not using it. It at least stops casual sniffers. Today, there
are readily available tools for most attackers to crack the WEP keys.<span style="mso-spacerun:
yes"> Airsnort and others tools take a lot of packets (several
million) to get the WEP key, on most networks this takes longer than most people
are willing to wait. If the network
is very busy, the WEP key can be cracked and obtained within 15 minutes.

</p>
<p>The
fix for encryption weakness for the standard is not slated to be addressed
before 2002. 

</p>
<p>Because
of the WEP weakness, wireless sniffing and hijacking techniques can work despite
the WEP encrypted turned on.

</p>
<p>There
is the IEEE 802.1X standard which allows network access to be authenticated and
keys to be distributed. This allows access to APs to be authenticated and WEP
keys to be distributed and updated. More
APs are starting to support this standard.

</p>
<h3><a name="[2.3.6.2] Default WEP Keys"><font size="3">[2.3.6.2]
Default WEP Keys</font></a></h3>
<p>
The NetGear Access Point uses the following 4 WEP sequences as default keys.</p>
  <ul>
    <li>10 11 12 13 14</li>
    <li>21 22 23 24 25</li>
    <li>31 32 33 34 35</li>
    <li>41 42 43 44 45</li>
  </ul>
<p>
It is
recommended not to use the default WEP keys.</p>
<p>Please
e-mail <a href="mailto:cklaus@iss.net">cwkpublic@iss.net</a> if you know of other
default WEP keys for Access Points.</p>
<h3><a name="[2.3.7] SNMP community words">[2.3.7]
SNMP
community words
 </a>

</h3>
<p>Many
of the wireless base stations have SNMP (Simple Network Management Protocol)
agents running. If the community
word is not properly configured, an intruder can read and potentially write
sensitive information and data on the base station.
If SNMP agents are enabled on the wireless clients, the same risk applies
to them as well. 

</p>
<p>By
default, all three base stations are read accessible by using the community
word, “public”. With
the default of most base stations using the community word “public”,
potentially sensitive information can be obtained from the base station.
 

</p>
<p>By
default, the 3com base station has write access by using the community word, ”comcomcom”.
Cisco and Lucent/Cabletron require the write community word to be
configured by the user before it is enabled.

</p>
<p><b><a name="[2.3.7.1] SNMP vulnerabilities"><font size="4">[</font>2.3.7.1] 
SNMP vulnerabilities </a></b>

</p>
<p>Many implementations of SNMP were found to be vulnerable by using the PROTOS 
tool developed by University of Oulu .&nbsp; This affected many vendors, many of 
which produce wireless access points.&nbsp; Check with your vendor and see if 
there is a firmware patch regarding SNMP vulnerabilities.&nbsp; For more 
information on the testing tool for finding SNMP issues, check here:</p>
<ul>
  <li><a href="http://www.ee.oulu.fi/research/ouspg/protos/">
  http://www.ee.oulu.fi/research/ouspg/protos/</a></li>
  <li><a href="http://www.iss.net/security_center/alerts/advise110.php">
  http://www.iss.net/security_center/alerts/advise110.php</a></li>
</ul>
<h3><a name="[2.3.8] Configuration Interfaces">[2.3.8]
Configuration
Interfaces
 </a>

</h3>
<p>Each
base station model has its own interfaces for viewing and modifying the
configuration. Here are the current
interface options for each base station:

</p>
<ul>
  <li>
    <p>Cisco - SNMP, serial, Web, telnet

</li>
  <li>
    <p>Lucent / Cabletron - SNMP, serial (no web/telnet)

</li>
  <li>
    <p>3Com - SNMP, serial, Web, telnet.

</li>
</ul>
<p>3com
base station lacks any access control from the web interfaces for reading the
configuration options. By
connecting to the 3com base station web interface, it provides SSID on the
“system properties menu” display. An attacker who finds a 3com base station
web interface can easily get the SSID.

</p>
<p>3com
base station does require a password on the web interface for write privileges.
The password is the same as the community word for write privileges, therefore
3com base stations are at risk if deployed using the default, “comcomcom” as
the password. This gives an attacker easy write access.

</p>
<h3><a name="[2.3.9] Client side security risk">[2.3.9]
Client
side security risk
 </a>

</h3>
<p>For
the clients connecting to the base station, they store sensitive information for
authenticating and communicating to the base station.
If the client is not properly configured, access to this information is
available.

</p>
<ul>
  <li>
    <p>Cisco client software stores the SSID in the Windows registry. Cisco
stores the WEP key in the firmware, which is difficult to gain access to.

    </li>
  <li>
    <p>Lucent/Cabletron client software stores the SSID in the Windows registry.
The WEP is stored in the Windows registry but it is encrypted.
The encryption algorithm is not documented.


</li>
  <li>
    <p>3Com client software stores the SSID in the Windows registry. The WEP key
is stored in registry with no encryption.

</li>
</ul>
<p>Windows
XP has 802.11 configuration and has a display of the available SSID's built-in
to the OS.

</p>
<h3><a name="[2.3.10] Installation Risk">[2.3.10]
Installation Risk 
 </a>

</h3>
<p>By
default, all installations are optimized for the quickest configuration to get
users successful out of the box. Inversely,
by default, the installations are configured the least secure mode as possible.

</p>
<p>From
out of the box experience, Cisco was simple and easiest to install. 3Com
installation was straight forward out of the box.
And Lucent/Cabletron had many firmware upgrades which led to confusion on
which upgrades to install.

</p>
<h2><a name="[2.4] Jamming">[2.4]
Jamming
 </a>

</h2>
<p>Denial
of service attacks for wired networks are popular.
This same principle can be applied to wireless traffic, where legitimate
traffic gets jammed because illegitimate traffic overwhelms the frequencies, and
legitimate traffic can not get through.

</p>
<h3><a name="[2.4.1] 2.4 GHz Interfering Technology">[2.4.1]
2.4
GHz Interfering Technology
 </a>

</h3>
<p>An
attacker with the proper equipment and tools can easily flood the 2.4 GHz
frequency, so that the signal to noise drops so low, that the wireless network
ceases to function. This can be a
risk with even non-malicious intent as more technologies use the same
frequencies and cause blocking. Cordless
phones, baby monitors, and other devices like Bluetooth that operate on the 2.4
GHz frequency can disrupt a wireless network.

</p>
<h2><a name="[2.5] Client to Client Attacks">[2.5]
What are Client
to Client Attacks?
 </a>

</h2>
<p>Two
wireless clients can talk directly to each other by-passing the base station.
Because of this, each client must protect itself from other clients.


</p>
<h4><a name="[2.5.1] Filesharing and other TCP/IP service attacks">[2.5.1]
Filesharing
and other TCP/IP service attacks</a> 

</h4>
<p>If
a wireless client, like a laptop or desktop, is running TCP/IP services like a
web server or file sharing, an attacker can exploit any misconfigurations or
vulnerabilities with another client.

</p>
<h4><a name="[2.5.2] DOS(Denial of Service)">[2.5.2]
DOS(Denial of Service)
 </a>

</h4>
<p>A wireless client can flood another
wirelss client with bogus packets, creating a denial of service attack.
An attacker and sometimes employees unintentionally can configure their
client to duplicate the IP or MAC address of another legitimate client causing
disruption on the network. 

</p>
<p><font size="4"><a name="[2.5.3] Hybrid Threats">[2.5.3] Hybrid Threats</a></font></p>
<p>Next generation virus and worms have become a multi-vector attack programs 
that self-propagate through any TCP/IP interface including wireless.&nbsp; If 
one computer on a wireless network is infected with a hybrid threat, this threat 
can easily spread to other wireless computers and potentially internal computers 
behind the wireless network.</p>
<h2><a name="[2.6] War Driving Access Point Maps">[2.6]
War
Driving Access Point Maps
 </a>

</h2>
<p>As
people are “War Driving”, and locating the APs and recording the GPS
coordinates of the AP location, these AP maps are being shared to any attacker
on the Internet. If a company has
their AP location and information shared on the Internet, their AP becomes a
potential target and increases their risk.
One of the popular places to upload War Driving AP maps, is to <a href="http://www.netstumbler.com/">http://www.netstumbler.com</a>.
It includes a visual map and a database query tool for locating various AP’s.
</p>
<p><b><font size="5"><a name="[2.7] Parasitic Grids">[2.7] Parasitic Grids</a></font></b></p>
<p>From article, &quot;An underground movement to deploy free wireless access zones 
in metropolitan areas is taking hold...&nbsp;&nbsp; The movement, called by some 
the &quot;parasitic grid&quot; and by others more simply the &quot;free metro wireless data 
network,&quot; has already installed itself in New York; San Francisco; Seattle; 
Aspen, Colo., Portland, Ore., British Columbia; and London...&quot;&nbsp; This 
provides attackers and intruders completely anonymous access.&nbsp; Trying to 
locate and trace attackers using the parasitic grid becomes an impossible task.&nbsp;
</p>
<ul>
  <li>
  <a href="http://www.infoworld.com/articles/hn/xml/01/08/24/010824hnfreewireless.xml">
  http://www.infoworld.com/articles/hn/xml/01/08/24/010824hnfreewireless.xml </a>
  </li>
</ul>
<p>&nbsp;</p>
<h1><a name="[3] What are solutions to minimizing WLAN security risk?">[3]
What
    are solutions to minimizing WLAN security risk?
 </a>

    </h1>
<p>There
are many options that organizations can do today to put proper security
protection around their wireless strategy and technology.

</p>
<h2><a name="[3.1] Wireless Security Policy and Architecture Design">[3.1]
Wireless
Security Policy and Architecture Design
 </a>

</h2>
<p>Many
organization need to develop a wireless security policy to define what is and
what is not allowed with wireless technology.
From a holistic view, the wireless network should be designed with the
proper architecture to minimize risk.

</p>
<h2><a name="[3.2] Treat BaseStations as Untrusted">[3.2]
Treat
BaseStations as Untrusted</a><a name="[3.2] Treat BaseStations as Untrusted">
 </a>

</h2>
<p>From
an network security architecture, the base stations should be evaluated and
determined if it should be treated as an untrusted device and need to be
quarinteed before the wireless clients can gain access to the internal network.<span style="mso-spacerun:
yes"> The architecture design may include appropriately placing
firewalls, VPNs, IDSes, vulnerability assessments, authentication requirements
between base station and the Intranet.

</p>
<h2><a name="[3.3] Base Station Configuration Policy">[3.3]
Base
Station Configuration Policy
 </a>

</h2>
<p>The
wireless policy may want to define the standard security settings for any 802.11
base station being deployed. It
should cover security issues like the Server Set ID, WEP keys and encryption,
and SNMP community words.&nbsp; Turning off broadcast pings on the Access Point 
makes it invisible to 802.11b analysis tools like NetStumbler.</p>
<p><font size="4"><a name="[3.3.1] 802.1X Security">[3.3.1] 802.1X Security </a>
</font>

</p>
<p>Windows XP and many hardware vendors are building in 802.1X security 
standards into their Access Points.&nbsp; This provides a higher level of 
security than the typical WEP security.&nbsp; The 802.1x standard has a key 
management protocol built into its specification which provides keys 
automatically. Keys can also be changed rapidly at set intervals.&nbsp; Check to 
see if your Access Points support 802.1X.&nbsp;

</p>
<p>There have been some security flaws noted by security researches in 802.1X standard. <span style="mso-spacerun:
yes">This points out the need for good VPN technology despite this new standard.</span> 
Here is a document that outlines the issues in 802.1X security:</p>
<ul>
  <li><a href="http://www.cs.umd.edu/~waa/1x.pdf">
  http://www.cs.umd.edu/~waa/1x.pdf</a></li>
</ul>
<h2><a name="[3.4] Base Station Discovery">[3.4]
Base
Station Discovery
 </a>

</h2>
<ul>
  <li>
    <p>From
a wired network search, an organization could identify unknown and rogue base
stations by searching for SNMP agents. The
rogue base stations are identified as 802.11 devices through SNMP queries for
host id. 

</li>
  <li>
    <p>Some
base stations have a web and telnet interface.
By looking at the banner strings of these interfaces, this provides
another method of identifying some 802.11 devices.


</li>
  <li>
    <p>An
additional means is by using unique TCP/IP attributes like a fingerprint, it can
help identify devices as base stations. Most
TCP/IP implementations have a unique set of characteristics and many OS
fingerprinting technologies use this method for identifying the OS type.
This concept can be applied to the base stations.

</li>
  <li>
    <p>From
a wireless network search, an organization can identify these rogue base
stations by simply setting up a 2.4 GHz sniffer that identifies 802.11 packets
in the air. By looking at the
packets, you may find the IP addresses to help identify which network they are
on. In a densely populated area
with many businesses close together, running a sniffer may pick up more the
intended organization’s traffic, but a close neighboring company.


</li>
</ul>
<h2><a name="[3.5] Base Station Security Assessments">[3.5]
Base
Station Security Assessments
 </a>

</h2>
<p>An
organization can examine and analyze the base station configuration.
A security audit and assessment could determine whether the passwords and
community words are still default or easily guessed and if better security modes
have been enabled like encryption.

</p>
<p>With
router ACLs and firewall rules, an organization can minimize access to the SNMP
agents and other interfaces on the base station.
A security assessment can determine how widely accessible is the
configuration interfaces to the base stations are allowed to within the
organization.

</p>
<h2><a name="[3.6] Wireless Client Protection">[3.6]
Wireless
Client Protection
 </a>

</h2>
<p>The
wireless clients should be assessed for having the following security
technologies: 

</p>
<ul>
  <li>
    <p>firecell (distributed personal firewalls) - lock down who can gain access
to the client.
</li>
  <li>
    <p>VPN - adds another layer of encryption and authentication beyond what
802.11 can provide.

</li>
  <li>
    <p>intrusion detection - identify and minimize attacks from intruders,
worms, viruses, Trojans and backdoors.</li>
  <li>
    <p>desktop
scanning - identify security misconfigurations on the client.

    </li>
</ul>
<p>

</p>
<h1><a name="[4] Who is making 802.11 Security Solutions?">[4]
Who is making 802.11
Security Solutions?
 </a>

</h1>
<h2><a name="[4.1] 802.11 gateway infrastructure">[4.1]
802.11 Gateway Infrastructure</a>
</h2>
<ul>
  <li>
    <p><a href="http://www.bluesocket.com/">BlueSocket:</a>
    The
WG-1000 Wireless Gateway™ offers a single scalable solution to the security,
quality of service (QoS) and management issues facing enterprises and service
providers that deploy wireless LANs based on the IEEE 802.11b and Bluetooth™
standards.

</li>
  <li>
    <p><a href="http://www.ecutel.com/">EcuTel</a>:
    Viatores
Secure WLAN edition is different from legacy virtual private networks (VPNs) in
that it maintains VPN and application sessions uninterrupted with no
configuration or re-boot required. 
Viatores
combines two advanced protocols for mobility and security to enable roaming from
LANs to WLANs and between WLAN subnets seamlessly and securely. Application
sessions and security tunnels are maintained while the user moves from one
subnet to another. Roaming users can communicate easily with colleagues,
regardless of where they are or how they are connected, because Viatores
maintains a single network address. Viatores
Secure WLAN edition includes: 

    
    <ul>
      <li>
        <p>Industry-strength secure communication well beyond the WEP
standard;

</li>
      <li>
        <p>Seamless roaming from wired to wireless networks and between
different wireless networks;

</li>
      <li>
        <p>Support for two-way, peer-to-peer communication;

</li>
      <li>
        <p>Data confidentiality and integrity, including key exchanges,
digital signatures, and industry-strength encryption; 

</li>
      <li>
        <p>Option to upgrade to secure and seamless roaming from public
networks.

</li>
    </ul>
  </li>
  <li>
    <p><a href="http://www.netmotionwireless.com/">NetMotion
Wireless
    </a>
 - NetMotion
Mobility provides a VPN designed to work with WLAN security.<a href="http://www.netmotionwireless.com/resource/whitepapers/netmotion_security.asp"><span style="color: windowtext; text-decoration: none; text-underline: none">
    h<span style="color:windowtext;text-decoration:none;text-underline:none">ttp://www.netmotionwireless.com/resource/whitepapers/netmotion_security.asp</a>
has an overview of wireless security and how NetMotion Mobility™ prevents
unauthorized users from accessing your system and stops eavesdropping, replay,
and other network-level attacks.

    </li>
</ul>
<h2><a name="[4.2] 802.11 Security Analysis Tools">[4.2]
802.11
Security Analysis Tools
 </a>

</h2>
<ul>
  <li>
    <p><a href="http://freshmeat.net/projects/airsnort/">AirSnort</a>
is a wireless LAN (WLAN) tool that recovers encryption keys. It operates by
passively monitoring transmissions, computing the encryption key when enough
packets have been gathered. AirSnort
will work for both 40 or 128 bit encryption.


    <ul>
      <li>
        <p><a href="http://freshmeat.net/projects/airsnort/">http://freshmeat.net/projects/airsnort/
         </a>
</li>
      <li>
        <a href="http://www.dachb0den.com/projects/bsd-airtools.html"><p>http://www.dachb0den.com/projects/bsd-airtools.html</a>
</li>
    </ul>
  </li>
  <li>
    <p><a href="http://sourceforge.net/projects/wepcrack">WEPCrack</a>
is a tool that cracks 802.11 WEP encryption keys using the latest discovered
weakness of RC4 key scheduling.


    <ul>
      <li>
        <p><a href="http://sourceforge.net/projects/wepcrack">http://sourceforge.net/projects/wepcrack
        </a>

</li>
    </ul>
  </li>
  <li>
    <p><a href="http://www.netstumbler.com/">Network
Stumbler</a> scans for networks roughly every second and logs all the networks it
runs into--including the real SSIDs, the AP's MAC address, the best
signal-to-noise ratio encountered, and the time you crossed into the network's
space. If you add a GPS receiver to the notebook, it logs the exact latitude and
longitude of the AP. Network Stumbler does not use promiscuous mode.&nbsp; Thus, 
    by simply turning off broadcast pings hides the Access Point from 
    NetStumbler.&nbsp; Now NetStumbler website includes a PocketPC MiniStumbler.<ul>
      <li>
        <p><a href="http://www.netstumbler.com/">http://www.netstumbler.com/</a>

</li>
      <li>
        <p><a href="http://www.netstumbler.com/download.php?op=getit&lid=21">
        http://www.netstumbler.com/download.php?op=getit&amp;lid=21</a>&nbsp; 
        PocketPC MiniStumbler</li>
    </ul>
  </li>
  <li>
    <p><a href="www.iss.net/securing_e-business/security_products/security_assessment/internet_scanner/">Internet
Scanner 6.2</a>, the market leading network vulnerability assessment tool, was the
first to assess many 802.11b security checks. 802.11 checks are in several
X-Press Updates (XPU 4.9 and 4.10). This is done by doing assessing via the 
    wired network and contacting the management interface.</li>
  <li>
    <p>
    <a href="http://www.iss.net/products_services/enterprise_protection/vulnerability_assessment/scanner_wireless.php">
    Wireless Scanner 1.0</a>, designed to look for security issues via the 
    802.11b airwaves. Has a penetration testing mode and discovery mode.&nbsp; 
    Uses promiscuous mode, thus capable of capturing the raw 802.11b packets for 
    forensics analysis and replay.&nbsp; Even if broadcast pings are turned off, 
    Wireless Scanner will still catch any Access Points if it sends any kind of 
    traffic due to using promiscuous mode.&nbsp; 
<ul>
  <li><a href="http://www.iss.net/download/">http://www.iss.net/download/</a> 
  Evaluation copy of Wireless Scanner.</li>
  <li><a href="https://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/home.php">
  https://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/home.php</a> WS1.0 
  Knowledge Base</li>
</ul>

</li>
  <li>
    <p><a href="www.iss.net/securing_e-business/security_products/intrusion_detection/">RealSecure
    6.0</a>, the market leading IDS, was the first to monitor many 802.11b attacks.
Recommend to make sure you are up to the latest X-Press Updates.
802.11 checks for IDS were in XPU 3.1.&nbsp; Recommend putting IDS behind the 
    Access Point, directly on any servers and desktops behind the access point, 
    as well as, on any wireless clients.</li>
  <li>
    <p>
    <a href="http://www.iss.net/products_services/hsoffice_protection/blkice_protect_pc.php">
    BlackICE PC Protection 3.5</a>, personal firewall with IDS capability, is 
    used on wireless laptops and desktops to protect against client to client 
    attacks.</li>
</ul>
<h1><a name="[5]  About Internet Security System’s Wireless 802.11b Solution">[5]
About
Internet Security System’s Wireless 802.11b Solution
 </a>

</h1>
<p><a href="http://www.iss.net">ISS
</a>
offers the comprehensive wireless security solution:

</p>
<ul>
  <li>
    <p>Wireless <a href="http://www.iss.net/consulting_services/methodology/assess/services.php#nsa">
Security Assessments</a> and <a href="http://www.iss.net/consulting_services/methodology/assess/services.php#penetration_test"> Penetration Testing</a> 

</li>
  <li>
    <p><a href="http://www.iss.net/wireless/overview.php">Wireless
Policy Design and Workshops
    </a>
</li>
  <li>
    <p><a href="http://www.iss.net/securing_e-business/security_products/security_assessment/internet_scanner/">Vulnerability
Scanning with specific 802.11 configuration checks</a></li>
  <li>
    <p><a href="http://www.iss.net/securing_e-business/security_products/intrusion_detection/">Intrusion
Detection for Wireless LAN networks</a></li>
  <li>
    <p><a href="http://education.iss.net/course_descriptions/new_classes/xtremewireless.php">Wireless
802.11 Security Classes
    </a>
</li>
  <li>
    <p>ISS
    <a href="http://xforce.iss.net">
X-Force</a> Advisories:


    <ul>
      <li>
        <p> <a href="http://xforce.iss.net/alerts/advise83.php">http://xforce.iss.net/alerts/advise83.php</a>
        802.11 SNMP Auth. Flaw
        

</li>
      <li>
        <p><a href="http://xforce.iss.net/alerts/advise84.php">http://xforce.iss.net/alerts/advise84.php</a>
        WEP Key exposed via SNMP</li>
    </ul>
  </li>
</ul>
<p>Copyright
© 2001, Internet Security Systems. All rights reserved.

</p>
<p>This
document may be redistributed only in its entirety with version date, authorship
notice, and acknowledgements intact. No part of it may be sold for profit or
incorporated in a commercial document without the permission of the copyright
holder. Permission will be granted for complete electronic copies to be made
available as an archive or mirror service on the condition that the author be
notified and that the copy be kept up to date. This document is provided as is
without any express or implied warranty.

</p>

</body>

</html>

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH