Evaluating Wireless Networks Robert W. Cobb and Staff National Aeronautics and Space Administration IT Roundtable 25 March 2003
Outline • Introduction to wireless networks • Threats and vulnerabilities • Evaluating wireless networks • Objectives • Methodology • Tools • Findings • General recommendations • Conclusion
Introduction to Wireless Networks • Fastest-growing computer communications technology • Agencies increasingly use wireless networks • Convenient • Flexible • Inexpensive • Easy to implement
Introduction to Wireless Networks (cont.) • Uses radio waves instead of cables • Consists of • Access Points • Wireless clients (e.g. laptops, PDAs) • Gateways to wired networks • Major standard • Institute of Electrical and Electronic Engineers (IEEE) 802.11, Wireless Local Area Networks
Threats • Disclosure of sensitive/confidential data • Denial of service (DoS) • Unauthorized access to wireless-enabled resources • Potential weakening of existing security measures on connected wired networks and systems
Vulnerabilities • Wired Equivalent Privacy (WEP) encryption standard extremely weak • Radio signals susceptible to jamming and interference • Protocol vulnerabilities allow • Network sessions to be taken over by an intruder • Injection of invalid data into network traffic • Network reconnaissance
Evaluating Wireless Networks • Wireless networks are • Easy to implement • Difficult to secure • Policies often have not been developed
Evaluation Objectives • Assess the current Agency/Department position regarding wireless networks • Examine the use of wireless technology • Evaluate the security of wireless network applications including threats to • Data integrity • Confidentiality • Availability of services and resources • Security of wired networks • Determine the level of staff awareness of wireless technology
Evaluation Methodology • External scanning to illustrate the ease with which unauthorized persons could intercept wireless signals • Internal scanning and physical inspection to verify the source of signals • Traffic analysis to see if sensitive data is being transmitted, if transmissions are encrypted, and how vulnerable the networks are to attack • Review network topologies to assess connectivity to wired networks and determine measures to protect wired networks • Meet with wireless users and administrators to assess awareness, employee expertise, and strength of security measures
Evaluation Tools • Hardware • Laptop • Wireless network card • Antenna • GPS • Wireless sniffing software • WEP encryption cracking software • Mapping software
Evaluation Findings • Wireless networks with inadequate security • Ranges of wireless networks exceed physical boundaries of user organizations • Non-existent or inadequate policies on wireless networks • IT staff with inadequate enforcement authority over wireless networks • Insufficient employee awareness on agency position over the use of wireless networks
Example: Many wireless networks do not use WEP or other encryption to protect network traffic. ▲ = Access points using encryption ▲ = Access points without encryption
Example: The radio signal from a wireless network can spill over from the building where access points are located to neighboring buildings, parking lots and public roads.
General Evaluation Recommendations • Develop wireless network policies • Perform risk assessments to determine required level of security • Limit access to wireless networks through the use of Virtual Private Networks (VPN) • Maintain logical separation between wireless and wired networks • Monitor for wireless applications (i.e., actively enforce policies)
Conclusion • Wireless network evaluations are easy to conduct using inexpensive or freely available tools. • Evaluations are very necessary • Wireless networks are inexpensive, convenient, and simple to use – so people will use them. • BUT, wireless networks are vulnerable.
Stephen Mullins (916) 408-5573 email@example.com Jamil Farshchi (202) 358-1897 firstname.lastname@example.org Contacts for Wireless Network Evaluations