 |
 |
 |
 |
| |
|||||
|
|
|
Wireless local area networks (WLANs) can provide many benefits to an organization and its users. Some typical advantages over wired networking include quick, low-cost deployment, ease of use, and flexibility for the user community. If a WLAN is not properly implemented and administered, however, it can give a malicious user easy access to an organization's networks, completely circumventing existing network security measures. MITRE worked to define and manage the security concerns of WLANs and deployed a secure WLAN test pilot. In the process, we learned various lessons, including the complexity of implementing a secure WLAN capability, specifically one that conforms to IEEE 802.11b (see sidebar below), while meeting user needs. We found that our phase-one pilot architecture demonstrates secure WLAN connectivity but that use of the current virtual private network (VPN) servers significantly reduced user acceptance of the WLANs. Physical security of the access points is a requirement because access points can be moved or reconfigured without the knowledge of network administrators. Thus, access points could inadvertently be moved from the untrusted virtual LAN to the trusted network during maintenance of the network switches. Our WLAN pilot project has demonstrated that while it is easy to deploy a WLAN, it is difficult to make the system secure, functional, usable, and maintainable. We continue to refine our WLAN pilot and modify the infrastructure that will provide users with the same ease of use as a directly attached WLAN access point, but with the security necessary to protect our network. Applying lessons learned from our WLAN pilot, one MITRE sponsor asked us to assess current government WLAN policies and test potential vulnerabilities. The Defense Information Systems Agency (DISA) and MITRE established a project to identify any weaknesses in the recommendation for the Air Force Policy for Wireless Local Area Networks and determine if those weaknesses can be mitigated. Using a commercial-off-the-shelf VPN solution, the project attempted to answer three questions: Can a wireless VPN client be denied access to the corporate network via a distributed denial-of-service attack? Can the attacking machines intercept any private information? Can Internet Protocol Security (IPSec) authentication or tunnels be disrupted? Test results demonstrated that IPSec VPN technology is susceptible to denial-of-service attacks that use transmission control protocol/user datagram protocol flood techniques. However, the use of 100-megabyte-per-second routers and switching hubs would reduce the effectiveness of these types of attacks. Enterprise-level VPN gateways may decrease the effect of Internet Key Exchange (IKE) clogging attacks because these gateways can handle tens of thousands of simultaneous IKE requests, whereas the equipment we tested can only support 100 IKE requests. The test results were encouraging in that none of the denial-of-service attacks compromised encrypted data, although they did interfere with data availability. However, the VPN gateway and client are susceptible to denial-of-service flood attacks. Attacks against the VPN gateway are more effective because of Internet control message protocol responses from the VPN, which effectively double the WLAN traffic. In addition, the VPN gateway takes longer than a VPN client to resume normal traffic after an attack. Users cannot establish a VPN tunnel during an attack, and those with an established VPN tunnel lose packets (FTP, Telnet, etc.). However, some services may resume after an attack. In summary, the current suite of WLANs can potentially pose risks to an organization’s infrastructure security. Unless network administrators supplement standard security measures with additional physical and technical measures, malicious users could easily penetrate WLANs. To improve the situation, MITRE is examining new approaches for securing WLANs. For more information, please contact Ed Kemon using the employee directory. |
Solutions That Make a Difference.® |
|
|
