One of the problems with wireless security is that you don't need expensive tools to break into a wireless network. All you need in your toolbox is a computer, a wireless card, some suitable software, and perhaps a good antenna for receiving wireless signals.
The following is a list of software that you can use to detect wireless networks, sniff wireless packets in transit, and much more. These tools have numerous legitimate uses, such as detecting unauthorized access points, intrusion detection, network traffic analysis, and debugging networked applications such as a web server.
MacStumbler is a free application that allows you to detect the presence of wireless networks. Using MacStumbler, you can obtain information about a particular access point: the SSID used, whether WEP is enabled, and so on. Coupled with a GPS receiver, you can also pinpoint the location of an access point. MacStumbler is often used for wardriving, site surveys, and detecting rogue access points. Figure 5-17 shows Mac-Stumbler scanning for wireless networks.
iStumbler is another free tool that is similar to MacStumbler, but seems to be updated more frequently.
KisMAC is very similar to the popular Windows and Unix package Kismet. It is a passive wireless scanner that sends no probes of its own, which means it is sneakier and less invasive than other tools such as MacStumbler. KisMAC (and Kismet) are silent and generally more useful than other software of its kind.
HenWen is a network security package for Mac OS X that makes it easy to configure and run Snort, a free, open source Network Intrusion Detection System (NIDS). HenWen simplifies setting up and maintaining software that will scan the network for undesirable traffic that a firewall may not block. Everything you need is bundled in; no compiling or command-line configuration is necessary.
This is the Mac OS X command-line version of Snort, a packet sniffer and NIDS.
AiroPeek is a wireless LAN analyzer from WildPackets that runs on Windows. It is an extremely powerful wireless LAN analyzer that many security professionals use (be forewarned, this package costs $3,499!). AiroPeek is able to sniff raw wireless packets transmitted through the air, which is why protecting your wireless network with 802.1X, a VPN, SSH, or even WEP is important. AiroPeek can easily sniff unencrypted data packets.
Ethereal is a free network protocol analyzer for Unix and Windows computers. It is similar to AiroPeek in that it allows you to sniff wireless (and wired) packets in transit. Many network protocols are susceptible to sniffing in this manner. For example, Telnet and FTP both send passwords as plaintext (for secure alternatives, see the section "Secure Shell (SSH)," earlier in this chapter).
Most wireless access points provide some degree of protection against unauthorized access to the network. Here are a few common features found in most consumer access points:
Disabling SSID broadcast causes the access point to suppress the broadcast of SSID information to wireless clients. In order to join the wireless network, a wireless client must manually specify the SSID that the network uses, or it will not be able to associate with the access point.
Most access points support MAC address filtering by allowing only network cards with the specified MAC addresses to be associated with them. In a small network, this is feasible but it becomes administratively prohibitive in a large network. Note that MAC address filtering authenticates a device, not a user.
IP filtering works just like MAC address filtering, but instead filters computers based on IP addresses.
As 802.1X gains acceptance, expect to see support of 802.1X in consumer access points, not just enterprise-level access points. Check with your vendor to see if your access point supports 802.1X authentication (or can be upgraded to do so via a firmware upgrade).
The following sections cover some of the common techniques used for securing wireless networks, and rate their effectiveness.
While MAC address filtering can prevent unauthorized network devices from gaining entry to a network, there are two problems with it:
The device is authenticated in MAC address filtering, not the user. Hence if a user loses the network card, another user who picks it up is able to gain access to the network without any problem. Because AirPort cards are internal, this is less of a concern than if you are using a PC Card wireless adapter; you might not immediately notice that the PC Card is missing, but you're sure to notice if your PowerBook is gone.
MAC addresses can easily be spoofed. For example, you can impersonate the MAC address of another machine on a Linux system using the ifconfig utility, a network configuration utility. For this to work, you need a wireless card that allows you to change the MAC address. Although the Mac OS X version of ifconfig supports this capability, your mileage may vary with an AirPort card.
To enable MAC address filtering, use the AirPort Admin Utility and click on the Show All Settings button. You should see the window shown in Figure 5-18.
If the list is empty, all clients can connect to the AirPort base station. If the list has at least one item, then all clients are denied access except for those in the list.
You can import (or export) a list of clients to whom you want to allow access. The access control list is a text file containing the MAC address and description of individual computers (separated by a tab). Figure 5-19 shows one example.
By default, an AirPort base station will broadcast its wireless network name to all computers that are wireless-capable. However, there are times where you do not want everyone to be aware of the existence of your network. In such cases, you can turn off this broadcast so that people who want to join your network must specify the network name in full.
Disabling SSID broadcast prevents uninvited users from accessing the network. However, there are two fundamental flaws with this approach:
It is not difficult to guess the SSID of a network. Most users deploy wireless networks using the default SSID that comes with the access point. It is too easy to guess the SSID of a wireless network based on hints like the brand of the access point, or from clues like the thrown-away box of the access point.
When you disable SSID broadcast, the access point does not broadcast the SSID information. However, as soon as one user connects to the access point using the known SSID, it is possible to sniff the SSID that is transmitted in the network. Hence this method is secure only if there is no user on the network; as soon as one user is on the network, the SSID is no longer a secret.
This is a useless measure most of the time, since anybody with a passive scanner such as KisMAC will still see your access point. It will probably keep your upstairs neighbor from siphoning off your bandwidth, but that's about it.
To turn off this broadcast, use the AirPort Admin Utility. Click on the Show All Settings button and select the Create a closed network checkbox (see Figure 5-21) under the AirPort Network group.
As we have discussed, WEP has some fundamental flaws that make it prone to hackers. For example, utilities such as KisMAC can recover the WEP key after collecting a sizeable number of packets from the wireless network.
Even though WEP is not secure, it is still advisable to use it to make it somewhat difficult to breach your network, or at least to make it clear to honest users that you're not offering public access. Site surveys often show that the majority of wireless networks don't even use WEP! Using Snort or Ethereal, it's very easy to examine the data transmitted through the air. On a very busy network, we suggest using 802.1X, but this is non-trivial to set up. For networks that don't have lot of traffic, use WEP, but change your WEP keys from time to time (we recommend weekly, more frequently if you have a lot of network traffic).