Wireless Local Area Networks (WLANs) provide a convenient method of accessing wired networks for employees, visitors and other personnel who require roaming access to a network or network resources.
By the very nature of providing these functional benefits, WLAN’s become susceptible to malicious use as they are often required to span multiple locations and cannot be confined to specific buildings; so it is not possible to know at all times who is accessing or attempting to access a WLAN.
Due to this, WLANs are often a target for attack from casual users, social engineers or dedicated attackers who are intent on accessing the internal corporate network.
The WLAN security options
WLANs employ several different protocols to provide authentication and encryption services for the network, some of which are considered legacy and should not be used:
Wired Equivalent Privacy (WEP):
-
- WEP is considered a very insecure protocol and is rarely supported by modern data infrastructure devices. Due to the weak encryption methods in use and reoccurring encryption keys within small chunks of data, it seldom takes longer than 20 minutes to gain access to a WLAN that uses WEP. It is important to note that simply selecting what appears to be a long or complex value as the WEP key has no bearing on the security of the network, as it is the actual protocol that is weak, not the WEP key used.
Wi-Fi Protected Access (WPA) Pre-Shared Key:
-
- WPA Pre-Shared Key is a protocol designed to improve the WEP protocol and to address the fundamental security flaws present within the method used by WEP to encrypt data. Although the encryption and authentication methods are a significant step forward, a WPA-PSK network is really only as secure as the configured Pre-Shared Key (PSK).
Wi-Fi Protected Access (WPA) Enterprise:
-
- WPA-Enterprise (often called WPA-Ent or WPA-RADIUS) is considered to be a very secure method of WLAN authentication and encryption when deployed correctly. Usually, WPA-Enterprise will use client and server certificates and a RADIUS server for authentication. When successfully connected, the protocol will also ensure new encryption keys are generated at short intervals to prevent large amounts of data being decrypted by a user who captures a key.
As digital certificates are very hard to clone without access to the device they are installed on or issued from, most of the attacks present within a WPA-PSK protected network are not possible within a WPA-Enterprise one.
There are a number of attacks possible against a WPA-Enterprise protected network if server and client certificates are not validated properly and most of these involve setting up a rogue WLAN with the same SSID (network name) as the legitimate network and enticing a legitimate user to connect to this rogue WLAN and subsequently enter their credentials. This attack, if successful, can allow a malicious user to capture an encrypted user password and conduct an offline brute force or dictionary attack against it and then use it to connect to the WLAN.
If the client is configured to verify the Access Point certificate, then it will not connect to a rogue Access Point, so will therefore not allow any credentials to be entered or subsequently captured by a malicious user.
The main drawback of WPA-Enterprise is that it invariably has a significant administrative overhead to correctly set up and due to the relatively complex nature of client and server certificates, it can be prone to some fundamental misconfigurations that negate the extra security it is meant to offer.
Penetration Testing for Wireless Networks
To address these security concerns, any testing service should include a way of testing Wireless networks that assesses the authentication and encryption methods deployed, assesses levels of access controls in place, gauge the signal leakage outside of the building(s) and reviews what level of access can be obtained to internal wired resources as well as to other wireless clients once connected to the networks.
The testing methods for wireless used will vary depending upon the WLAN under test, but generally, any authentication keys such as WPA-PSK and WEP should be captured and cracked, access controls should be bypassed and access attempts carried out against wired and wireless hosts. Where WPA-Enterprise is in use, a rogue Access Point can be set up to entice users to connect to it and send their credentials. These credentials will then be cracked and used to access the WLAN.
Guidance
We have developed robust wireless networks tests that include all the above tests. They should assess the authentication and encryption methods deployed, the levels of access controls in place, and review the level of access to internal wired resources, as well as to other wireless clients once connected to the networks.
Additional services like GPS mapping data to show signal leakage outside of a building are logical add-ons to look for.
If you’d like to talk to us about security testing or discuss a particular project, get in touch with us today.