Who’s on first? Wireless network security with Linux

David M Williams
Monday, 05 November 2007 19:38

Business IT - Open Source

Ideally, your hardware also supports MAC address filtering. This means you can configure your access point so only wireless cards with specific MAC addresses can connect to it. Practically, in a large organisation, this may be difficult to implement because it requires vigilant maintenance whenever new machines are purchased, and whenever older equipment is decommissioned. Nevertheless, if feasible, this adds another layer of security. It’s possible someone can still spoof a “good” MAC address, but this requires existing knowledge of your network.

DoS

One of the simplest attacks that can be perpetrated against you is denial of service. It’s important to know if any factors in your environment can affect your wireless signal quality, like microwave ovens, cordless telephones or even competing wireless networks from your neighbours. Apart from these, proactive routine testing of drops in signal strength along with unknown access points and devices with unknown MAC addresses will be possible hints of malicious activity.

A DoS attack can be carried out in several ways, but there are three major methods. The first is – like in the wired world – to connect to the network and begin sending relentless packets against important internal machines such as a mail server or DNS server or a router.

Alternatively, and this is unique to wireless networks, a hostile person need not even bother connecting to your network; they need not even have a WiFi card. Instead, an object known to cause interference could be physically placed inside the wireless network’s perimeter.

Or, an attacker might configure a new wireless AP with the same SSID as you use, but without this AP being connected anywhere. Computers located close to where this AP is situated would strive to connect to it, and either succeed – with no communication possible – or fail, with the same result.

Any of these can cause harm to your network. The techniques mentioned earlier – suppress the SSID so others cannot find it and minimise network exposure outside your building – will give some measure of protection. Other important steps you can take are to take careful note of the MAC addresses of your own computers – and hence, be aware when there are unknown computers connected – and to carefully restrict how many people in your organisation know your SSID and wireless access passwords. As always, change important passwords whenever someone who knew them leaves the company.

Performance and monitoring
It’s always prudent to keep a careful eye on network performance. If you have a feel for typical usage patterns then you get a hint to potential intrusions when traffic acts in an unusual way. Good administrators generally know how their wired network looks, but it’s important to extend this discipline to the wireless network too.

Not all attackers are necessarily malicious; it’s not uncommon for people to try and leech free Internet access so they can check mail or surf the web or do other things. Unexpected high bandwidth consumption can tip you off this is happening. As before, be sure to review logs; you might discover high usage during the night hours when you know that legitimate users only operate during daylight hours, for example.