Thursday, May 6, 2010

Threats to Wireless Networks

Throughout this book, you have learned about the many threats to wireless networks. If you really wanted to simplify the threats, you could think of it like this: You want legiti- mate clients to connect to legitimate APs and access corporate resources. Some attacks are formed from the perspective of an AP trying to gain information from clients. Other attacks are from the perspective of getting illegitimate clients onto the network to use corporate resources at no charge or to actually steal data or cause harm to the network.

These threats include the following:
  • Ad hoc networks
  • Rogue APs
  • Client misassociation
  • Wireless attacks

Ad Hoc Networks

An ad hoc network is a wireless network formed between two clients. The security risk in- volves bypassing corporate security policies. An attacker could form an ad hoc network with a trusted client, steal information, and even use it as a means of attacking the corpo- rate network by bridging to the secure wired LAN.


Rogue APs

A rogue AP is not part of the corporate infrastructure. It could be an AP that’s been brought in from home or an AP that’s in a neighboring network. A rogue AP is not always bad. It could be an AP that’s part of the corporate domain yet still operating in au- tonomous mode. Part of an administrator’s job is determining if the AP is supposed to be there. Fortunately, you don’t have to do all the work yourself. A few functions of the AP’s software can detect rogue APs and even indicate if they are on your network.

Something to consider when looking for rogue APs is what happens to clients that can connect to those rogue APs. If a client connects to a rogue AP, it should be considered a rogue client. The reason is that rogue APs typically are installed with default configura- tions, meaning that any client that connects bypasses any corporate security policy. So you do not know if the client is a corporate user or an attacker.


Client Misassociation

When a client connects to an AP, operating system utilities normally allow the client to save the SSID. In the future, when that SSID is seen again, the client can create a connec- tion automatically. There is a possibility that clients will be unaware of the connection. If the SSID is being spoofed, the client could connect to a potentially unsafe network. Con- sider the following scenario. An attacker learns the SSID of your corporate network. Us- ing this information, he sends beacons advertising your SSID. A wireless station in the range of the rogue AP connects to the AP. The AP allows connectivity to the Internet but is not actually on your corporate wired network. Using tools that are easily available on the Internet, another client connected to the same rogue AP attacks the misassociated client and steals valuable corporate data.

This scenario employs multiple attack methods. It uses a method known as management frame spoofing as well as an active attack against a misassociated client. So how can this be prevented? The answer begins with a function called Management Frame Protection.


Management Frame Protection

One method of Management Frame Protection (MFP) is Infrastructure MFP. With this method, each management frame includes a cryptographic hash called a Message In- tegrity Check (MIC). The MIC is added to each frame before the Frame Check Sequence (FCS). When this is enabled, each WLAN has a unique key sent to each radio on the AP. Then, the AP sends management frames, and the network knows that this AP is in protec- tion mode. If the frame were altered, or if someone spoofs the SSID of the WLAN and doesn’t have the unique key, it invalidates the message. This causes other APs that hear the invalid frames to report them to the controller.

The other method of MFP is called Client MFP. If the client is running Cisco Compatible Extensions (CCX) 5 or better, it can talk to the AP and find out what the MIC is. Then it can verify management frames it hears in addition to the APs that provide this function. The major benefit of this mode is the extension of detection. In Figure 17-1, the APs are in the middle of the network, and clients are on the outside. The clients can detect the AP called BAD_AP that is generating invalid frames, even though BAD_AP is out of the range of the APs that are in protection mode.

With MFP version 1, all local mode APs are protectors. They digitally sign all frames they send. Any other AP, or the same local mode AP, for that matter, could be a validator.

With MFP version 2, clients must run the Cisco Secure Services Client (CSSC) or a client that is capable of CCXv5. This enables the client to hear the rogue and report illegitimate frames. You don’t have to worry about your client associating with the rogue AP, because it drops invalid frames.

Client MFP has another benefit. Suppose a neighboring AP performed containment as a denial-of-service (DoS) method against your network because it’s a deauthentication frame that is used for containment. The client would see that the containment frame does- n’t have the MIC and would ignore the deauthentication frame. This would keep people from containing your network as a form of DoS attack.


To enable MFP, choose SSEECCUURRIITTYY >> WWiirreelleessss PPrrootteeccttiioonn PPoolliicciieess >> AAPP AAuutthheennttiiccaa-- ttiioonn//MMFFPP . You view MFP with the Wireless LAN Controller by choosing SSEECCUURRIITTYY >> WWiirreelleessss PPrroot teeccttiioonn PPoolliicciieess >> MMaannaaggeemmeenntt FFrraammee PPrrootteeccttiioonn , as shown in Figure 17-2.


Wireless Attacks

It’s not news that networks in general are constantly bombarded with attacks. Some of these attacks are unique to wireless networks, as is the case with management frame spoofing. With management frame spoofing, a rogue AP advertises an SSID known to the


client in an attempt to get the client to connect to the rogue AP. Other attacks apply to both wired and wireless networks:
  • Reconnaissance attacks: An attacker attempts to gain information about your net- work. Initially, the method of mitigating recon attacks involved hiding the SSID by not broadcasting it in beacon frames.
  • Access attacks: An attacker tries to gain access to data, devices, and/or the net- work. Initially the method of preventing access to the network involved MAC-based authentication as well as static Wired Equivalent Privacy (WEP). The problem with WEP today is that the keys can be broken in 4 to 7 minutes.
  • Denial-of-service (DoS) attacks: An attacker attempts to keep legitimate users from gaining services they require. Today, the use of intrusion detection system/in- trusion prevention system (IDS/IPS) sensors on the wired network can help mitigate these attacks. You also can use MFP to prevent containment DoS attacks.
  • The mitigation methods used to prevent attacks mentioned here are not very advanced and are considered weak by today’s standards. However, you might be wondering how these methods work. What alternatives are there if these mitigation methods are weak? What other options exist? The following sections discuss these aspects.