This article series will examine various techniques for securing Wi-Fi networks. This first article in the series deals with understanding the vulnerabilities associated with wireless networks.
Even though Wi-Fi has been around for many years now, I still periodically receive E-mail messages from people who are wondering about the various security and privacy concerns regarding the use of a wireless network. Generally, there are two main questions that I am asked:
- Is Wi-Fi secure?
- How can I make Wi-Fi secure?
With those questions in mind, I wanted to take the opportunity to talk about Wi-Fi security. My plan is to spend most of this article talking about the risks associated with using Wi-Fi. Later on in the series, I want to talk about hardware based security, how your wireless networking architecture affects the security of your wireless network, and finally I plan to talk about some wireless security mechanisms that are built into Windows Server.
What Are The Risks?
One of the first rules regarding security is that unless you have a clear understanding of the risks, then, it is nearly impossible to mitigate those risks. In other words, it is hard to develop a decent security plan unless you know what threats you must protect yourself against. With this philosophy in mind, I want to take a bit of an unorthodox approach to talking about Wi-Fi security.
Most of the books and articles on Wi-Fi security that I have read focus on how you should configure your wireless access points, and on the overall network architecture and its impact on security. I do plan to discuss those sorts of things later on. Right now though, I want to completely throw security out the window. In doing so, I want to talk about what type of information a hacker could get if there were no security on your wireless network.
OK, I realize that it is a bit strange to approach Wi-Fi security from this angle. As I said before however, it is important to understand the risks up front. Beyond that however, the real world is full of insecure wireless networks. Most of your mobile users are likely to periodically connect to insecure wireless networks. These networks might be at airports, hotels, coffee shops, or even at home. The point is that even if you have gone to great lengths to secure your wireless network, your users could still risk exposing sensitive data by connecting through an external network that is completely insecure.
So with that in mind, let’s pretend that we have an entire office full of people who are all using a completely insecure wireless network. What information is actually exposed if someone were to sniff the wireless packets?
Although it is tempting to say that everything will be exposed, the answer is actually a little bit more complex than that. This is because the entire concept of IT security revolves around defense in depth. Just because a wireless connection is completely insecure, it doesn’t mean that the other security mechanisms that you may have in place are completely invalidated.
To show you what I mean, consider what would happen if someone were to log onto Outlook Web App using an insecure wireless connection. In case you are not familiar with Outlook Web App, it is a Web based version of Microsoft Outlook that comes with Exchange Server 2010.
Outlook Web App is designed to require SSL Web browsers to use SSL encryption. Therefore, if a user logs onto Outlook Web App over an insecure wireless network, all of the user’s information will be encrypted, and will remain secure just as it would if the user had used a wired Internet connection.
So does this mean that you don’t have to worry about Wi-Fi security? Certainly not! Just because Outlook Web App will remain secure even over an otherwise insecure connection, it doesn’t mean that everything else will. Before I get into that though, I want to talk about how something as simple as a non business Web site can compromise your security.
Think about it for a moment… When a user logs on to a Web site, they typically enter a set of authentication credentials. These credentials are not always encrypted. For example, there are a couple of free sites that I use which only require a membership so that you can participate in the online discussion forums. The sites contain no sensitive information, so the authentication process is not encrypted.
Logging into such a site isn’t a problem in and of itself. The problem is that some users like to use the same password for every account that they own. If a user were to log into an insecure Web site over a wireless connection, than anyone who is sniffing the wireless packets would be able to extract the user’s credentials. The next logical step for the hacker would be to see if the user uses the same credentials for anything else.
Of all of the applications used in a business environment, perhaps none are more vulnerable than E-mail. Before I explain why this is the case, I must point out that some mail systems are more secure than others. For example, Exchange Server 2010 automatically encrypts communications between itself and other Exchange 2010 servers.
When it comes to basic POP3 and SMTP communications though, insecure Wi-Fi connections expose everything. Even though messaging servers hosting protocols like SMTP, POP3, and IMAP4 typically require authentication, the credentials are almost always sent in clear text, which makes them vulnerable to packet sniffing.
Even if an organization has encrypted the authentication process, the messages themselves are unencrypted unless an organization has implemented a form of S/MIME encryption or something similar. As such, it is incredibly easy for someone who is sniffing the airwaves to intercept and read mail flow. It is even possible for a hacker to respond to a message that they have intercepted, or to send a fraudulent message posing as someone else.
Another possible vulnerability associated with using an unsecured wireless network involves accessing shared resources. One example that I like to use is something that happened about five years ago. While working on something unrelated, I noticed that a new access point had appeared on my list of available wireless networks. One look at the name of the new wireless network confirmed that it belonged to a good friend who lived next door. Because my friend hadn’t secured his wireless network, I assumed that it was my duty to show him the dangers of operating an open wireless network. To make a long story short, I typed up a short message in Microsoft Word telling him to call me, and then I printed the message on his printer.
Open access to shared resources aren’t usually as big of a problem on corporate networks, because domain controllers provide challenge / response authentication. Assuming that server resources are secured properly, the real vulnerability exists on the user’s desktop / laptop. If the user is running Windows XP, then it is pretty easy to figure out the user’s computer name and to connect to any shared resources on that computer.
As you can see, there are plenty of vulnerabilities associated with operating on an insecure wireless network (there are many more than what I have discussed). In Part 2, I will continue the discussion by talking about how you can lock down your wireless hardware.