Wireless Security: Attacks and Defenses

By | May 15, 2006

Two leading technologies that are gaining momentum in enterprise and small business LANs alike, are IPS, and IDS. Intrusion Prevention Systems try to take a proactive measure in network security, so as to stop the attack before it starts. Intrusion Detection Systems are more passive in their methodology, monitoring and informing network administrators of any intrusive presence. Both of these systems monitor networks, whether they are WLANs or LANS, over extended periods of time. This frees up network administrators to perform other tasks associated with network management until they are made aware of a need for action. Douglas Conrich, IBM´s Global Solutions Manager, calls these kinds of attacks, ‘Texas barbeques´.

Today´s IDS/IPS systems can be employed in many different ways. According to some research analysts´ there are three different ways to employ this technology. The first method involves a software solution that simply uses the existing access points on the network to keep an electronic eye on traffic patterns. This method suits the needs of many smaller businesses that don´t have the expertise or budgets to go any further. The second method is by using what are called passive 802.11 monitors that watch over any and all wireless activities in the area. All the data recorded by the sensors are sent to one central server for processing and analysis. This provides a much more comprehensive view of wireless activity, as well as adds the capability of detecting rogue access points that would go on unbeknownst in the first method. There is also a third method which places more of the processing load on the sensors themselves. In this case, the sensors don´t report back to the central server unless they discover something suspicious. In either of the last two methods, once the anomalies have been reported to the central server, employees can be deployed onto the premises to track the source of the intrusion. One advantage in WLAN security is that in most cases the intrusion has to be local, whereas in a wired attack, the attacker could be on the other side of the world.

An interesting observation made by many experts, is that most companies that are interested in IDS/IPS technologies want them to enforce a zero wireless policy. Some corporations would rather just eliminate the possibility of wireless technology on their network all together. The reasoning behind this lies in the very real threat of using wireless attacks to invade wired networks. Being able to setup an ad-hoc wireless access point allows someone too intentionally or unintentionally connects to the wired network and then disconnect, making the intrusion very difficult to trace.

A wide variety of tools are available to survey your wireless domain, many of which we detailed earlier in this paper. They can do such things as measure the distance of your AP signal and control power output if it extends beyond the limits of your premises, or alerts you to suspicious activity on the network.

Surveying your own network can also be looked at as just trying to hack your own setup. What better way to test your security than to run one of the wireless hacking tools against your security? Many of the tools freely available to crack a wireless network are simple enough that most intermediate windows users could begin their own war chalking movement.

There are also a limited number of software tools available that allow you to deploy wireless Intrusion Detection Systems or IDS, which can automatically monitor the network and report suspicious events that occur to system administrators. These suspicious events can include things such as the presence of unusual data packets, the presence of new wireless transmitters in the area, or traffic encrypted with unknown WEP keys. The following table details several of the commercial and open-source wireless LAN auditing tools available for use today.

Virtual Private Networks

Virtual Private Networks, or VPNs, facilitate security over public connections through encryption techniques and other various security methods. A VPN works by sending data through a “tunnel” which cannot be penetrated by paths outside of the tunnel. This is done through the use of tunneling protocols such as Layer Two Tunneling Protocol, which encrypts the data at the sending end, and decrypts it at the receiving end. In order for a VPN to function properly, network users must install a small client application on their computers, which is used to decipher and help facilitate the encoded communication.

A protocol called IPSec is the de facto standard for VPN´s over the Internet. IPSec defines the way secure data packets are structured through its three major components: the Authentication Header (AH), the Encapsulating Security Payload (ESP), and Internet Key Exchange. AH is responsible for verifying that packets have not been altered between the sender and receiver. It does not provide any encryption—it simply verifies that the data sent through a VPN is accurate. Encryption is handled instead by ESP, which can employ a variety of techniques such as Data Encryption Standard (DES) or Secure Hashing Algorithm (SHA). Each of the three components can operate in different modes and can be combined in different ways, which allows customizable security through implementation. For example, many IPSec VPNs either do not use AH at all, or use a combination of AH and ESP.

VPNs fit into three categories: network-to-network, host-to-network, and host-to-host. Network-to-network VPNs are used to securely transmit data between two LANs over a public network. Host-to-network VPNs connect a single user to a LAN securely, over a public network. Finally, host-to-host VPNs involve two single clients communicating securely with one another over a public network.

The main advantage of VPNs is that they are a cost-effective way of connecting remote nodes or sites. Alternatives to VPNs, such as dedicated, leased lines or deployment of a Remote Access Server are much more expensive. As a matter of fact, a free VPN solution called FreeSWAN exists for Linux systems.

Home Grown or Advanced Encryption

Another advanced defense method that is possible, although unlikely, is to create an in-house encryption algorithm to use for encoding your network´s data. Not only would you need some very sensitive data to justify this, but you would also need highly skilled, technical staff. Also, be advised that by implementing self-made encryption techniques, you could create a very strong, unknown encryption scheme, which works extremely well, or you could possibly create one that is easily crackable or flawed.

A more likely approach would be to implement an existing, proven encryption method such as MD5 or MIC. Many different encryption techniques exist and information on how they work and how to implement them is freely available in books or online. Should you choose to go this route, make sure you have a skilled staff on hand to handle the project.

The intricacies of encryption are outside the scope of this paper. Our purpose is to merely point out that the above options exists as a method of defense in the arena of wireless security.


We have taken a look into many facets of 802.11 WLANS. We have seen their benefits and risks, their strengths and weaknesses, and we have learned some ways in which they are attacked and defended. As wireless technology continues to expand its presence across the globe, there are sure to be many fascinating changes that will affect the way we live and work–and it will be important to have an understanding of the both the possibilities and dangers that come with it. Without a doubt, there will be improvements made to wireless security. Along with that will come new methods of attack and defense, as well as many other changing characteristics. We hope that the knowledge contained in these pages provides a solid understanding of wireless security, and a foundation on which to build and adapt knowledge as changes come about.

Copyright &copy InvulnerableIT

Leave a Reply