Things are getting serious in the world of wireless data communications. I came to this conclusion after reading reports of the efforts of a small team of Berkeley security researchers who have been examining the 802.11b Wired Equivalent Privacy (WEP) standard. These researchers have been able to fold, spindle, and mutilate the WEP algorithms to both listen in on data conversations and to inject modified packets into those conversations (Check out http://www.isaac.cs. berkeley.edu for full story details).
The conclusion of this report is particularly pointed. It says (and I quote): "Wired Equivalent Protocol (WEP) isn't. The protocol's problems are a result of misunderstanding of some cryptographic primitives and therefore combining them in insecure ways. These attacks point to the importance of inviting public review from people with expertise in cryptographic protocol design; had this been done, the problems stated here would have surely been avoided."
Ouch. I guess things looked a lot more black-and-white when I was back in college, too.
I have no quibble with the techniques these researchers used. They brought up some valid problems in the WEP security model. Of course they barely mentioned the biggest hole in the model - there is a single encryption/decryption code for the whole network. This 40- or 128-b number combines with a network name to give anyone the keys to the physical access layer of your network. It would almost certainly be easier for a corporate spy to finesse this information than to do the statistical analysis described by the ISAAC group at Berkeley.
License to break in Interestingly enough, I don't entirely agree with the conclusion that WEP isn't the rough equivalent to most wired security. I remember the first week that I came to work at one company.
The IT department hadn't gotten around to buying me a computer, so I brought in my laptop.
I plugged it into the Ethernet port that was in my office and found that I could freely access many of the resources on the network, even though they had not gotten around to giving me a network login. In other words, I broke into their network without even half trying.
It is certainly possible to set up a wireless network with less security than this; add in an access point that is set to the default configuration with encryption disabled and you're there. You might as well hang a network cable out in the parking lot with a sign on it that says, "Please abuse me." I suspect that most companies would like to avoid either situation. For that matter, I can't think of too many home networks that would be comfortable being that wide open either.
Plugging up the holes
Okay, there are holes in the security for 802.11b. What can designers do about that?
The first step is to use it anyway. The holes that are described in the Berkeley research require a reasonably sophisticated attack. This will eliminate most of the casual intruders, such as the bored high-school kids who will be tempted by a network that makes it too easy for them to be hotshot hackers. This level of security will tend to screen out the casual hacker, giving you more time to concentrate on the ones that are more serious.
Moving past this point involves some interesting options. It might be worthwhile to hang some bait on the network at this level. The bait might be a system that "accidentally" has file sharing enabled without a password, and which contains a bogus marketing plan for the year or a list of fake credit card numbers.
This system can be alarmed through the router to detect any traffic as an early-warning system for more serious attacks.
The truly paranoid will place these traps at each level of the network. There are two advantages to this approach. First, it takes time for the hacker to examine each of the traps to see if they are real, leading to the hacker becoming suspicious of anything he finds at each level. Second, the longer it takes to get to each level, the more likely it is that the hacker will move on to an easier target.
The next level of security is a good firewall. At this point in time I would probably put a wireless network on the outside of the firewall and force users to come in through a virtual private network (VPN) session. This is bound to be troublesome, but it has tremendous advantages as far as security is concerned. This essentially removes any advantage a hacker gains by using the wireless network, putting them in the same place that they would have been if they had attacked over the Internet.
The biggest problem with this decision is that many wireless devices do not support VPNs. This is not a major problem for laptops, but if PDAs are in use, security can be much more problematic. It's all very nice to dictate a set of conditions, but if those conditions can't be met, then something has to give. In other words, even though it might be preferable from a security standpoint to park the access points exterior to the firewall it may not be feasible from the point of view of usability for certain wireless extensions to the network.
How much is enough?
So do we just give up on the idea of having a secure environment? I am certainly not advocating that. A good firewall is a necessary component in a secure network, but it is not the only one. Within a network, secure resources should not be freely accessible. Are there any systems on your network that don't require passwords to access? These systems are at risk even without wireless access. At a minimum, they are openly available to any employees. As much as we would like to trust all of the people that work for us, it is a fact that a large percentage of industrial espionage happens from within.
Locking down a network is not something that is done just once, though. Someone must regularly police the network, looking for new published directories and other resources that suddenly open up. This is not a popular job, since most of these security breaches occur in the process of people just doing their jobs. I strongly recommend accompanying this network diligence with a large dose of education to minimize the feeling that the company is enforcing a prison-camp atmosphere.
Survival of the fittest
With this set of restrictions in place at least the network administrator can finally get a good night's rest. Well, maybe not.
The war between the network hackers and those who would prevent their fun and games reminds me a lot of the copy protection wars. Each side would regularly come up with new weapons, each with a new level of sophistication.
The main danger concerning network hacking is the productization of these tools. It is quite possible for a novice hacker to mount a sophisticated attack using scripts and other software downloaded from the Internet. The hacking intelligentsia disparagingly refers to these hackers as "script kiddies," but the diminutive name makes them no less dangerous. Just as an amateur could defeat sophisticated copy protection schemes, some of the best network security can fall victim to a kiddie with the right script.
The point to remember is that no network will ever be completely secure. I worked for several years in a so-called "Black" facility, a Defense Department code name for extremely sensitive programs. Our internal network was completely separate from any outside connection, even to the point of running cabling between buildings in a pressurized conduit.
Great care was taken to ensure that this network was protected. In fact, any hard drives that were inside this facility at any time could only be removed after a meticulous formatting that would practically scrub the oxide right off the disk platters. We used to joke about the fact that the facility would eventually fill up with the hard drives that accumulated over the years like a landfill, forcing the eventual abandonment of the site.
This environment would certainly qualify as a secure network, but I noticed something strange one day. The network cabling was running through the same conduit within the building as the phone system, which certainly had connections to the outside world. It certainly seemed to me that these wires could inductively couple, potentially carrying networking signals outside of the facility.
I pointed this out to a security official, and she got a very strange look on her face and insisted that that was not the case. I didn't understand this at first, given that it obviously was the case, but eventually I realized that they knew about the potential problem and judged it an acceptable risk. This did not mean, however, that they enjoyed having a young punk engineer pointing out their weaknesses.
A constant battle
The bottom line on security is that it is a never-ending battle. There is a more secure proposal for 802.11b under consideration right now (see http://www.cisco.com/ warp/public/cc/pd/witc/ao350ap/prodlit/a350w_ov.htm for details), but I am confident that this one, just like all the others, will eventually fall victim to someone building a script. The trick is to make access to a network difficult enough that it is not worth the time for hackers to find the right script with which to attack.
Larry Mittag is vice president and chief technologist for Stellcom, Inc., a San Diego-based engineering services company that specializes in wireless devices and applications. He can be reached at lmittag@stellcom.com.
