National Infrastructure Protection Center


BEST PRACTICES FOR WIRELESS FIDELITY (802.11b)
NETWORK VULNERABILITIES

Computer security experts have successfully intercepted and broken the security built into the IEEE 802.11b Wireless Local Area Network (WLAN) standard. The software tools used to exploit the vulnerability are simple to use and available on the Internet as freeware. The WLAN industry has responded with a set of best practices that will assist the corporate and individual WLAN users to mitigate risk to their system.

The deployment of wireless networking systems is proceeding rapidly. Advancements in the technology and reduction in the cost of ownership have converged such that wireless systems are becoming a measurable part of the national information infrastructure. The growth in sales booked and sales projected indicate that it qualifies as a technology mega-trend. Along with their convenience and popularity, however, wireless systems provide new and attractive opportunities for those seeking to exploit them. "Raising the security bar" by reducing wireless network vulnerabilities, therefore, becomes an important consideration for any organization that adopts wireless systems.

There are several different wireless networking technical standards.(1) Currently the IEEE 802.11b standard, Wireless Fidelity (Wi-Fi) wireless Ethernet, is widely deployed. Over one hundred vendors are members of the Wireless Ethernet Compatibility Alliance (WECA), the trade organization which seeks to shepherd development and deployment of WLAN.(2)

A WLAN is essentially a radio system. It broadcasts the data traffic to anyone who is in proximity to intercept it. The effective transmission range can vary from a hundred feet to an entire campus. To enhance data integrity, WECA members adopted an integrated encryption scheme called Wired Equivalent Privacy (WEP) into the 802.11b standard. The standard was assumed to be adequate since no beta testing had been able to defeat WEP without a significant computing effort. In August 2001, however, a group of experts announced they had succeeded in defeating the WEP security scheme. Since that publication, various hacker tools that greatly facilitate exploitation of the vulnerability have appeared on public web sites. Successful exploitation of the vulnerability has been simplified to getting within range to intercept the broadcast.

WECA has announced that a revision to Wi-Fi, dubbed 802.11i, is under development, and may be ready for certification testing in 2002. In the meantime, WECA has published the WEP Security Statement as a list of best practices for corporate and individual users. The Statement may be found at http://www.Wi-Fi.com/pdf/20011015_WEP_Security.pdf, and includes advice for users in both small and large environments. For smaller organizations, including home users, and for lesser-valued data, WECA recommends one or more of the following:

a) Turn WEP on and manage your WEP key by changing the default key and, subsequently, changing the WEP key, daily to weekly.

b) Password protect drives and folders.

c) Change the default SSID (Wireless Network Name).

d) Use session keys if available in your product.

e) Use MAC address filtering if available in your product.

f) Use a VPN system. Though it would require a VPN server, the VPN client is already included in many operating systems such as Windows 98 Second Edition, Windows 2000 and Windows XP.

For larger organizations, or where the value of the data justifies strong protection by a small business or home user, the WECA statement provides examples of additional security methods.

1. The focus of this paper is the WEP vulnerability of IEEE 802.11b. Vulnerabilities in other systems like 802.11a and Bluetooth, should they arise, will need to be addressed separately.

2. Some of the vendors have reduced the complexity of installing the systems by engineering them to be appliances. They can be as simple to install as a kitchen toaster. As we have seen with other technologies, there is added risk by accepting the default settings of computer-related software, or by lacking familiarity with recommended best practices that go beyond the 'system on' button.