Very Computer

By  Christopher  W.  Klaus  of Internet Security Systems (ISS). Please
send corrections, additions, and new questions to cwkpub...@iss.net.

Version 1.6 - Last Updated September 30th 2002
     _________________________________________________________________

                                   Contents

     * [0]  Where  do  I  get  the  latest  version  of this Wireless LAN
       Security FAQ?
     * [1] What is the overview of Wireless LAN 802.11 technology?
          + [1.1]  When  will 802.11a arrive and how will the security be
            different than 802.11b?
          + [1.2] What is an Access Point?
          + [1.3] How much does the equipment for wireless 802.11b cost?
          + [1.4] Are companies the only wireless targets by attackers?
          + [1.5] Where can you find wireless 802.11 networks?
          + [1.6] How does the antenna affect wireless LAN security?
               o [1.6.1] How do I build a cheap and effective antenna?
          + [1.7]  Can  you spot a laptop with wireless 802.11 capability
            by looking for the antenna?
     * [2] What are the major security risks to 802.11b?
          + [2.1] What are Insertion Attacks?
               o [2.1.1]Plug-in Unauthorized Clients
               o [2.1.2]Plug-In Unauthorized Renegade Base Stations
          + [2.2]  What  are Interception and monitoring wireless traffic
            attacks?
               o [2.2.1] Wireless Sniffer
               o [2.2.2] Hijacking the session
               o [2.2.3] Broadcast Monitoring
               o [2.2.4] ArpSpoof Monitoring and Hijacking
                    # [2.2.4.1]  Hijacking  SSL (Secure Socket Layer) and
                      SSH (Secure Shell) connections
               o [2.2.5] BaseStation Clone (Evil Twin) intercept traffic
          + [2.3] What are AP and Client Misconfigurations?
               o [2.3.1] Server Set ID (SSID)
                    # [2.3.1.1] What are the default SSID's?
               o [2.3.2] What is Secure Access Mode?
               o [2.3.3] Bruteforce Base Station SSID
               o [2.3.4] Can the SSID be encrypted?
               o [2.3.5]  By  turning  off  the  broadcast  of  SSID, can
                 someone still sniff the SSID?
               o [2.3.6] Wired Equivalent Privacy (WEP)
                    # [2.3.6.1] Attacks against WEP
                    # [2.3.6.2] Default WEP Keys
                    # [2.3.6.3] How Large is WEP Keys
               o [2.3.7] SNMP community words
                    # [2.3.7.1] SNMP Vulnerabilities
               o [2.3.8] Configuration Interfaces
               o [2.3.9] Client side security risk
               o [2.3.10] Installation Risk
          + [2.4] What is Jamming?
               o [2.4.1] 2.4 GHz Interfering Technology
          + [2.5] What are Client to Client Attacks?
               o [2.5.1] Filesharing and other TCP/IP service attacks
               o [2.5.2] DOS (Denial of Service)
               o [2.5.3] Hybrid Threats
          + [2.6] War Driving Access Point Maps
          + [2.7] Parasitic Grids
     * [3] What are solutions to minimizing WLAN security risk?
          + [3.1] Wireless Security Policy and Architecture Design
               o [3.1.1] Basic Field Coverage
          + [3.2] Treat BaseStations as Untrusted
          + [3.3] Base Station Configuration Policy
               o [3.3.1] 802.1X Security
          + [3.4] Base Station Discovery
               o [3.4.1] Honeypots - FakeAP
          + [3.5] Base Station Security Assessments
          + [3.6] Wireless Client Protection
     * [4] Who is making 802.11 Security Solutions?
          + [4.1] 802.11 Gateway Infrastructure
          + [4.2] 802.11 Security Analysis Tools
     * [5] About Internet Security System's Wireless 802.11b Solution
     * [6] Acknowledgements
     _________________________________________________________________

Recent Updates

   Version 1.6
     * Added new war driving maps.
     * Updated 802.11a as being now available.
     * Added how large is WEP key information.
     * Added acknowledgements section
     * Added Honeypots - FakeAP
     * Add basic field coverage strategy

   Version 1.5
     * Added all of Netgear's default WEP keys.
     * Added Pringles Can and Waveguide Antenna Info.
     * Added hybrid threats, next-gen virus/worm spread by wireless.
     * Added Parasitic Grids. Free anonymous access for intruders.
     * Added SNMP vulnerabilities.
     * Added 802.1X Security, and its flaws.
     * Added MiniStumbler, Wireless Scanner, BlackICE PC Protection.
     * Added info on Broadcast pings.

   Version 1.3
     * Added Section 1.7 regarding internal antenna.
     * Added  link to Cigital regarding ArpSpoofing. Cigital put together
       a nice diagram of the attack.
     * Added Default WEP key for NetGear AP.
     * Added link to BSD version of AirSnort.

   Version 1.2
     * Added where this WLAN Security FAQ can be found.
     * Cleaned up the formatting
     * Added better indexing, added hyperlinks between index and content
     * Added link to article on wireless LAN antennas

   Version 1.1
     * Added NetStumbler, WEPCrack tools, Added WEP insecurity paper
     * Added Ecutel, BlueSocket, and NetMotion as WLAN Sec. Products
     * Updated  Accuracy  of  WEP description and made it clear that SSID
       not being encrypted.
     * Added Broadcast of SSID turned off can still be circumvented.
     * Added Addtron's default SSID, a popular AP
     * Added War Driving AP maps.
     * Added 802.11 ArpSpoof, a technique used by ISS X-Force Consulting.
     * Added hijacking SSH and SSL connections via wireless.
     * Added 2 X-Force Advisories on Wireless 802.11 flaws

   Version 1.0
     * First draft
     _________________________________________________________________

   [0] Where do I get the latest version of this Wireless LAN Security FAQ?

     * The     most    current    version    is    on    the    Web    at
       http://www.iss.net/wireless
     * It     will    be    regularly    posted    to    issfo...@iss.net
       (http://www.iss.net/maillists).

     * It will be posted to the following Usenet newsgroups:
     * comp.security.misc,comp.security.firewalls,comp.security.unix,
     * comp.std.wireless,comp.dcom.sys.cisco,comp.dcom.sys.nortel,
     * comp.dcom.telecom

          [1] What is the overview of Wireless LAN 802.11 technology?

   Wireless LAN technology standard 802.11b has the strongest momentum to
   becoming  the  main  standard  for  corporate  internal  wireless  LAN
   networks. The bandwidth of 802.11b is 11 mbits and operates at 2.4 GHz
   Frequency.  The  successor of this current 802.11b standard is 802.11a
   and  it  is  designed  to  be  faster speed and operate at a different
   frequency.  While  802.11a  standard  and the technology behind it has
   become  available,  802.11b  is  still  widely  used  today  and  many
   companies  and  individuals are deploying it or deploying dual 802.11b
   and 802.11a devices.

   As   more  wireless  technology  is  developed  and  implemented,  the
   complexity of the types of attacks will increase, but these appear the
   standard main methods used to break and attack wireless systems. These
   attacks  may  be very similar against other wireless type technologies
   and  is not unique to 802.11b. By understanding these risks and how to
   develop   security   solution   for  802.11b,  this  will  be  a  good
   stepping-stone  for  providing  a good secure solution to any wireless
   solution.

[1.1] When will 802.11a arrive and how will the security be different than
802.11b?

   Most manufacturers of wireless technologies have come out with 802.11a
   technology  now.  The  specifications for the protocols of 802.11a are
   very  similar  to  802.11b,  therefore  many of the security risks are
   shared  for  both  802.11a  and  802.11b.  Many of the security issues
   around 802.11b will continue to be an issue with 802.11a, therefore by
   understanding  current issues will help organizations deal with future
   issues as well.

[1.2] What is an Access Point?

   The  AP  (access  point  also known as a base station) is the wireless
   server  that  connects  clients to the internal network. Base stations
   typically  act as a bridge for the clients. There is an IP address for
   management  configuration  of  the  base  station.  The  base stations
   typically have an SNMP agent for remote management.

[1.3] How much does the equipment for wireless 802.11b cost?

   Base  stations have become relatively inexpensive, approximately under
   $300US.  The  802.11  client cards for PDAs, laptops, and desktops are
   approximately  under  $100US.  Because of inexpensive equipment to get
   into wireless, attackers can get easy access to the tools necessary to
   apply  the  attack.  Because  of  the  inexpensive  price, within many
   companies  employees  can purchase wireless equipment without approval
   and deploy this in a rogue fashion, creating additional risk.

[1.4] Are companies the only wireless targets by attackers?

   While  this  FAQ  focuses  on the risk issues from a corporate network
   perspective,   these   same   issues   apply   to  home  networks  and
   telecommuters  that  are using wireless. As the corporate networks are
   allowing  in remote users, these remote users may be using wireless at
   their  end-point  to  connect  in.  In  this  case,  even  if wireless
   capabilities  have  not  been installed on the corporate network, they
   may  still  be  affected  by  the risk that their remote employees are
   using wireless at home or on the road.

[1.5] Where can you find wireless 802.11 networks?

   Airports,  hotels,  and even coffee shops like Starbucks are deploying
   802.11  networks  so  people  can  wirelessly browse the Internet with
   their  laptops.  As these types of networks increase, this will create
...

read more »

By  Christopher  W.  Klaus  of Internet Security Systems (ISS). Please
send corrections, additions, and new questions to cwkpub...@iss.net.

Version 1.6 - Last Updated September 30th 2002
     _________________________________________________________________

                                   Contents

     * [0]  Where  do  I  get  the  latest  version  of this Wireless LAN
       Security FAQ?
     * [1] What is the overview of Wireless LAN 802.11 technology?
          + [1.1]  When  will 802.11a arrive and how will the security be
            different than 802.11b?
          + [1.2] What is an Access Point?
          + [1.3] How much does the equipment for wireless 802.11b cost?
          + [1.4] Are companies the only wireless targets by attackers?
          + [1.5] Where can you find wireless 802.11 networks?
          + [1.6] How does the antenna affect wireless LAN security?
               o [1.6.1] How do I build a cheap and effective antenna?
          + [1.7]  Can  you spot a laptop with wireless 802.11 capability
            by looking for the antenna?
     * [2] What are the major security risks to 802.11b?
          + [2.1] What are Insertion Attacks?
               o [2.1.1]Plug-in Unauthorized Clients
               o [2.1.2]Plug-In Unauthorized Renegade Base Stations
          + [2.2]  What  are Interception and monitoring wireless traffic
            attacks?
               o [2.2.1] Wireless Sniffer
               o [2.2.2] Hijacking the session
               o [2.2.3] Broadcast Monitoring
               o [2.2.4] ArpSpoof Monitoring and Hijacking
                    # [2.2.4.1]  Hijacking  SSL (Secure Socket Layer) and
                      SSH (Secure Shell) connections
               o [2.2.5] BaseStation Clone (Evil Twin) intercept traffic
          + [2.3] What are AP and Client Misconfigurations?
               o [2.3.1] Server Set ID (SSID)
                    # [2.3.1.1] What are the default SSID's?
               o [2.3.2] What is Secure Access Mode?
               o [2.3.3] Bruteforce Base Station SSID
               o [2.3.4] Can the SSID be encrypted?
               o [2.3.5]  By  turning  off  the  broadcast  of  SSID, can
                 someone still sniff the SSID?
               o [2.3.6] Wired Equivalent Privacy (WEP)
                    # [2.3.6.1] Attacks against WEP
                    # [2.3.6.2] Default WEP Keys
                    # [2.3.6.3] How Large is WEP Keys
               o [2.3.7] SNMP community words
                    # [2.3.7.1] SNMP Vulnerabilities
               o [2.3.8] Configuration Interfaces
               o [2.3.9] Client side security risk
               o [2.3.10] Installation Risk
          + [2.4] What is Jamming?
               o [2.4.1] 2.4 GHz Interfering Technology
          + [2.5] What are Client to Client Attacks?
               o [2.5.1] Filesharing and other TCP/IP service attacks
               o [2.5.2] DOS (Denial of Service)
               o [2.5.3] Hybrid Threats
          + [2.6] War Driving Access Point Maps
          + [2.7] Parasitic Grids
     * [3] What are solutions to minimizing WLAN security risk?
          + [3.1] Wireless Security Policy and Architecture Design
               o [3.1.1] Basic Field Coverage
          + [3.2] Treat BaseStations as Untrusted
          + [3.3] Base Station Configuration Policy
               o [3.3.1] 802.1X Security
          + [3.4] Base Station Discovery
               o [3.4.1] Honeypots - FakeAP
          + [3.5] Base Station Security Assessments
          + [3.6] Wireless Client Protection
     * [4] Who is making 802.11 Security Solutions?
          + [4.1] 802.11 Gateway Infrastructure
          + [4.2] 802.11 Security Analysis Tools
     * [5] About Internet Security System's Wireless 802.11b Solution
     * [6] Acknowledgements
     _________________________________________________________________

Recent Updates

   Version 1.6
     * Added new war driving maps.
     * Updated 802.11a as being now available.
     * Added how large is WEP key information.
     * Added acknowledgements section
     * Added Honeypots - FakeAP
     * Add basic field coverage strategy

   Version 1.5
     * Added all of Netgear's default WEP keys.
     * Added Pringles Can and Waveguide Antenna Info.
     * Added hybrid threats, next-gen virus/worm spread by wireless.
     * Added Parasitic Grids. Free anonymous access for intruders.
     * Added SNMP vulnerabilities.
     * Added 802.1X Security, and its flaws.
     * Added MiniStumbler, Wireless Scanner, BlackICE PC Protection.
     * Added info on Broadcast pings.

   Version 1.3
     * Added Section 1.7 regarding internal antenna.
     * Added  link to Cigital regarding ArpSpoofing. Cigital put together
       a nice diagram of the attack.
     * Added Default WEP key for NetGear AP.
     * Added link to BSD version of AirSnort.

   Version 1.2
     * Added where this WLAN Security FAQ can be found.
     * Cleaned up the formatting
     * Added better indexing, added hyperlinks between index and content
     * Added link to article on wireless LAN antennas

   Version 1.1
     * Added NetStumbler, WEPCrack tools, Added WEP insecurity paper
     * Added Ecutel, BlueSocket, and NetMotion as WLAN Sec. Products
     * Updated  Accuracy  of  WEP description and made it clear that SSID
       not being encrypted.
     * Added Broadcast of SSID turned off can still be circumvented.
     * Added Addtron's default SSID, a popular AP
     * Added War Driving AP maps.
     * Added 802.11 ArpSpoof, a technique used by ISS X-Force Consulting.
     * Added hijacking SSH and SSL connections via wireless.
     * Added 2 X-Force Advisories on Wireless 802.11 flaws

   Version 1.0
     * First draft
     _________________________________________________________________

   [0] Where do I get the latest version of this Wireless LAN Security FAQ?

     * The     most    current    version    is    on    the    Web    at
       http://www.iss.net/wireless
     * It     will    be    regularly    posted    to    issfo...@iss.net
       (http://www.iss.net/maillists).

     * It will be posted to the following Usenet newsgroups:
     * comp.security.misc,comp.security.firewalls,comp.security.unix,
     * comp.std.wireless,comp.dcom.sys.cisco,comp.dcom.sys.nortel,
     * comp.dcom.telecom

          [1] What is the overview of Wireless LAN 802.11 technology?

   Wireless LAN technology standard 802.11b has the strongest momentum to
   becoming  the  main  standard  for  corporate  internal  wireless  LAN
   networks. The bandwidth of 802.11b is 11 mbits and operates at 2.4 GHz
   Frequency.  The  successor of this current 802.11b standard is 802.11a
   and  it  is  designed  to  be  faster speed and operate at a different
   frequency.  While  802.11a  standard  and the technology behind it has
   become  available,  802.11b  is  still  widely  used  today  and  many
   companies  and  individuals are deploying it or deploying dual 802.11b
   and 802.11a devices.

   As   more  wireless  technology  is  developed  and  implemented,  the
   complexity of the types of attacks will increase, but these appear the
   standard main methods used to break and attack wireless systems. These
   attacks  may  be very similar against other wireless type technologies
   and  is not unique to 802.11b. By understanding these risks and how to
   develop   security   solution   for  802.11b,  this  will  be  a  good
   stepping-stone  for  providing  a good secure solution to any wireless
   solution.

[1.1] When will 802.11a arrive and how will the security be different than
802.11b?

   Most manufacturers of wireless technologies have come out with 802.11a
   technology  now.  The  specifications for the protocols of 802.11a are
   very  similar  to  802.11b,  therefore  many of the security risks are
   shared  for  both  802.11a  and  802.11b.  Many of the security issues
   around 802.11b will continue to be an issue with 802.11a, therefore by
   understanding  current issues will help organizations deal with future
   issues as well.

[1.2] What is an Access Point?

   The  AP  (access  point  also known as a base station) is the wireless
   server  that  connects  clients to the internal network. Base stations
   typically  act as a bridge for the clients. There is an IP address for
   management  configuration  of  the  base  station.  The  base stations
   typically have an SNMP agent for remote management.

[1.3] How much does the equipment for wireless 802.11b cost?

   Base  stations have become relatively inexpensive, approximately under
   $300US.  The  802.11  client cards for PDAs, laptops, and desktops are
   approximately  under  $100US.  Because of inexpensive equipment to get
   into wireless, attackers can get easy access to the tools necessary to
   apply  the  attack.  Because  of  the  inexpensive  price, within many
   companies  employees  can purchase wireless equipment without approval
   and deploy this in a rogue fashion, creating additional risk.

[1.4] Are companies the only wireless targets by attackers?

   While  this  FAQ  focuses  on the risk issues from a corporate network
   perspective,   these   same   issues   apply   to  home  networks  and
   telecommuters  that  are using wireless. As the corporate networks are
   allowing  in remote users, these remote users may be using wireless at
   their  end-point  to  connect  in.  In  this  case,  even  if wireless
   capabilities  have  not  been installed on the corporate network, they
   may  still  be  affected  by  the risk that their remote employees are
   using wireless at home or on the road.

[1.5] Where can you find wireless 802.11 networks?

   Airports,  hotels,  and even coffee shops like Starbucks are deploying
   802.11  networks  so  people  can  wirelessly browse the Internet with
   their  laptops.  As these types of networks increase, this will create
...

read more »