It has probably already been beaten into you that you must use Wi-Fi Protected Access—preferably WPA2 with AES—encryption to secure your wireless network. However, it shouldn’t stop there. As ?with any other technology, there are numerous security threats.
Here, we’ll isolate four lesser-known Wi-Fi security threats and see how to combat them.
1. Connecting to Other Wi-Fi Networks
You can implement enterprise encryption and have the most secure Wi-Fi network in the world, but it doesn’t apply when users are on other wireless networks. Your users may be able to simply hop onto another nearby Wi-Fi network, potentially exposing their computer and data to the users of that network. They might even use another Wi-Fi signal to get unrestricted access to the network. However, you do actually have some control over the networks users can connect to.
Unfortunately, these aren’t foolproof solutions. Users still might be able to connect to other networks if they are using a third-party wireless client, not the one built into Windows. But it’s still worth trying.
You can use the netsh command-line tool to setup network filters on computers running Windows Vista or 7. Open a Command Prompt window and use the following commands:
- To allow your network: netsh wlan add filter permission=allow ssid=yournetworkname networktype= infrastructure
- To block all other networks: netsh wlan add filter permission=denyall networktype= infrastructure
- To block all adhoc networks: netsh wlan add filter permission=denyall networktype= adhoc
On a domain network (with Active Directory on a Windows Server), you can use Group Policy to push similar restrictions to the computers. To access Group Policy in Windows Server 2008 and Windows Server 2008 R2, use the Group Policy Management Console (GPMC). In older versions, use the Microsoft Management Console (MMC) snap-in.
In Windows Server 2008 and Wireless Server 2008 R2, navigate to Computer Configuration > Policies > Windows Settings > Security Settings. In Windows Server 2003, navigate to Computer Configuration > Security Settings. Then right-click Wireless Network (IEEE 802.11) Policies and choose a new policy to create, or if you previously created a wireless policy, edit it.
You’ll be able to create policies for the specific Windows versions, so the settings will vary. You’ll probably want to add your network as a preferred network. Then review the other settings to find ways to restrict network access.
For example, you probably want to allow access to only infrastructure networks, blocking ad-hoc networks. Windows Server 2008 and R2 let you block all but the networks you define for Windows Vista and 7 computers with the following option: Only use Group Policy profiles for allowed networks.
2. Misconfigured 802.1X Clients
The Enterprise mode of WPA/WPA2 encryption with 802.1X authentication provides many benefits over the Personal or Pre-shared Key (PSK) mode. However, the Enterprise mode has vulnerabilities as well. Clients are susceptible to man-in-the-middle attacks where a hacker may be able to recover the login credentials.
However, you can prevent these types of attacks by enabling three key authentication settings on the client computers:
- Check the Validate server certificate option and select the Trusted Root Certificate Authority from the list.
- Check the Connect to these servers option and input the domain name or IP address of the RADIUS server.
- Check Do not prompt user to authorize new servers or trusted certificate authorities.
You can use the netsh command-line tool to distribute your network profile and settings to Windows Vista and 7 computers. On a domain network (with Active Directory on a Windows Server), you can use Group Policy to edit the preferred network list of computers running Windows XP and later.
3. Creating Wireless Hosted Networks, Virtual APs
Microsoft introduced a new Wi-Fi feature with Windows 7 and Windows Server 2008 R2, called Wireless Hosted Networks. It allows users with a supported wireless adapter to create a virtual wireless router or access point (AP), even while connected to a wireless network.
Users can create and manage wireless hosted networks via the netsh command-line tool or use a third-party tool like Connectify.
This new feature might be seen as cool to Wi-Fi enthusiasts, but to administrators it’s just another vulnerability. Employees could knowingly or unknowingly setup backdoor access to the computer and/or network. Though the feature by default requires the use of WPA2 (AES) encryption, the passphrase can be created by the user and given out to others.
You can try to prevent the use of the Wireless Hosted Network feature on a domain network running Window Server 2008 R2 using Group Policy. As with blocking networks, there’s still a way around. Users still might be able to enable the feature if they are using a third-party wireless client.
To access the Group Policy, use the Group Policy Management Console (GPMC). Navigate to Computer Configuration > Policies > Windows Settings > Security Settings. Right-click Wireless Network (IEEE 802.11) Policies and select Create a New Wireless Network Policy for Windows Vista and Later Releases, or if you previously created a wireless policy, edit it. Select the Network Permissions tab and mark the Don’t allow hosted networks checkbox.
4. Hole 196: a WPA/WPA2-Enterprise Vulnerability
This vulnerability was dubbed Hole 196 since it is hinted at on page 196 of the revised IEEE 802.11-2007 specification. It has seen some publicity in recent months, originating from a company called AirTight Networks. This vulnerability applies to all Wi-Fi Protected Access (WPA) versions and modes. However, it’s more significant to wireless networks using the Enterprise mode of WPA or WPA2.
This vulnerability opens users up to man-in-the-middle attacks using ARP-cache-poisoning, like we’ve seen on wired networks. In the end, an authorized user on the network can decrypt the traffic of other users, which normally isn’t the case when using the Enterprise mode of WPA/WPA2. They could also potentially send users harmful traffic and malware.
Segregating access with VLANs and virtual SSIDs can help isolate the culprit to its own VLAN. Enabling client isolation on the wireless controllers or access points (APs) can help prevent some of the attacks. You should also keep your AP firmware up-to-date, in case a patch for Hole 196 becomes available.
If you don’t already have a wireless intrusion detection system (IDS) or intrusion prevention system (IPS), consider getting one. These systems may be able to detect Hole 196 attacks.
Eric Geier founded NoWiresSecurity, which helps small businesses quickly and easily protect their Wi-Fi with enterprise-level security. He’s also a freelance tech writer and author of many networking and computing books, for brands like For Dummies and Cisco Press.
Follow eSecurityPlanet on Twitter @eSecurityP.