ISS checks wireless LAN vulnerabilities

Internet Security Systems Inc. last month announced it has expanded its security consulting practice to tackle vulnerabilities that may be associated with wireless LAN products from vendors that include Cisco Systems Inc., Lucent Technologies Inc., Nortel Networks Corp., 3Com Corp. and LinkSys Group Inc.

Until now, ISS has provided intrusion-detection and risk-management scanning tools, such as Internet Scanner, for detecting vulnerabilities in applications running on wireline networks. But ISS chief technical officer Chris Klaus says that growing demand from customers for help in evaluating risks associated with wireless LANs has prompted ISS to gear up for this tetherless technology as well.

For the first time, ISS has added to its Internet Scanner product a way to detect wireless LANs based on the IEEE 802.11b Ethernet standard used at 2.4GHz. “Internet Scanner can now do discovery-type analysis,” said Klaus, adding that it’s not uncommon at large companies for employees in a division to simply plug in a wireless base station and add a wireless LAN and wireless-enable laptops.

“In essence, these are rogue base stations,” Klaus noted, adding they can provide a way for hackers to get into not only the wireless LAN segment, but the wired portion of the corporate intranet as well.

In the next few months, ISS plans to enhance Internet Scanner to remotely identify several security vulnerabilities that could be associated with vendor wireless LAN products. In the meantime, ISS security experts will provide professional services to advise customers on the potential problems and how to develop a security policy to encompass wireless LANs tied in with wireline LANs.

Wireless LANs typically come out-of-the-box with weaknesses that allow hackers to fairly easily gain access to a wireless LAN network unless the default settings are changed, according to Klaus. Overall, ISS is recommending that corporations cordon off each wireless LAN base station from their wireline intranet by means of a firewall. “We’re saying it should be treated as an untrusted device, with the firewall requiring proper authentication and monitoring,” he notes.

Depending on the position of the wireless antenna, it’s possible to gain access to wireless LANs from about 300 feet, through glass or walls. The 802.11b standard calls for products to have a shared password for all devices, called the Server Set ID. Wireless LAN products ship with default passwords that have become commonly known. Cisco’s password is “Tsunami,” 3Com’s is “101,” for instance.

“The idea here was ease of use over security,” commented Klaus, adding it’s possible to just turn on a wireless LAN laptop and join a wireless network pretty easily from a distance.

Wireless LANs may include encryption, but the 802.11b standard’s encryption standard, called “Wired Equivalent Privacy,” has a default setting for “no encryption.” Two other modes include 40-bit breakable encryption and the stronger 128-bit. ISS is recommending that all wireless laptops make use of added VPN clients to protect data.

The management interface to wireless LANs, based on SNMP, also has vulnerabilities associated with it, because it’s not that difficult to capture the default community string to read the configuration of all the devices on a wireless network.

3Com’s default is “Com Com Com,” pointed out Klaus. In this respect, Lucent and Cisco did a better job of requiring the administrator to enable the configuration before the network management capability can be used, he noted.

Like wireline networks, wireless LANS can be jammed by denial-of-service attacks. “It’s extremely easy, because 2.4GHz is an unlicensed frequency,” Klaus says. “You can jam it via many other types of devices using that frequency or other wireless-enabled laptops.”

ISS doesn’t claim to have all the answers on wireless LAN security, but “we’re focusing on extending our knowledge here,” Klaus said.