A List of Risks to Wide and Local Area Networks (LAN's) and Some Solutions

Thanks to the proliferation of cellular devices with 64 MB of RAM and 400MHz microprocessors, workstations are now being implemented on a mobile scale. This article deals with enabling the secure and proper usage of these workstations within the walls of an organization.

Earlier, WI-FI required the obtaining of a usage license from the Wireless Planning and Co-ordination wing of DoT and from the home ministry. However, today Wi-Fi has been de-licensed for indoor use, which is our main area of implementation.

There are a few risks involved however with implementing such a system. One must consider a number of various permutations of room ergonomics along with cost and the security level provided.

Certain such risks involved are given below along with appropriate methods to ensure their proper side-stepping and overcoming:

The "Easy Access" Oxymoron:

One quite ironic facet of wireless security is the fact that we are trying to secure something whose essence is to be freely and easily available. Controlling such a WLAN network must involve, hence, a proper scrutiny of the area within an office, where the WLAN is enabled.

WLAN system 802.11 802.11a 802.11b 802.11g 802.11i* homeRF2 HiperLAN2 5-UP

Maximum range (m) 80 100 150 Unknown* 50 80 80

Eavesdropping:

If a particular wi-fi frame header i.e. the wireless transmitter is kept in the open, then an outsider without validation can tamper with the device and exchange data. To safeguard against this massive risk, wifi transmitters need to be kept at a faraway distance.

Positioning:

One of the biggest problems with using a WLAN security system based on card readers is that a person may swipe his card, but not enter the premises. Thus, his authentication can be used by others for logging on to the Wi-Fi system. This is a huge threat to the system's integrity.

One way to prevent this would be to use two card readers, one OUTSIDE the premises, to be swiped before entering and one INSIDE the premises, near the gate preferably which can validate the fact that he's inside the building. Of course, appropriate security measures like security guards or even visual aids (or biometrics in the case of a high security region) should also be implemented in order to authenticate this method.

Also, a major method for enabling WILAN integrity is the mapping of a floor for finding out where a particular wifi user is. Hence, the administrator can verify that he is within the premises. All that is required here is two co-ordinate transmitters and an on-off transmitter on the ID card that can be used to track the user. The implementation of such a method would however, be quite costlier depending on the office space.

The Entourage:

A person accessing the internet, accompanied by an authorized wifi user can be quite a problem, since very little can be known about the second person. Either tagging or providing him a security pass as is done in areas such as the Bombay Stock Exchange can be done, or the tracking method above can be used, to ensure that a person using the wifi is still in check.

Client to Client Attacks:

The Wi-Fi system should be of a strength bypassing all other wireless protocols being used such as Bluetooth etc. The reason for this being that a user can bypass the wifi system by leeching data through the WLAN and transmitting it to a friend using another protocol. Now, to prevent this, a WLAN should be strong enough to send bogus packets to these other wireless devices and flood their connections. This of course, once again depends on the level of security.

Protocol:

A weak Wi-Fi protocol such as 802.11b is too weak to sustain periodic attacks from hackers. Hence, a stronger protocol such as the IEEE 802.1X should be used which enables proper authentication of the user.

Setting up Risk:

While setting up the WLAN, a strict vigil should be maintained by the company's workers in order to ensure that the setup is not tampered with.

Also, the administrator used should have a proper understanding of its working, with a good knowledge about ID codes and database management.

Fraudulent Hosts and Clients:

Host intrusion is a phenomenon recently experienced in large city-wide WLAN's seen in many developed cities such as Shanghai. Here, a particular client to the WLAN can start his own Secured Shell Network within the wifi and entice users with faster speeds which he can provide with extra software and hardware. Here, the host, unknown to the clients has the ability to hack into a client's data. However, the client, believing that he's sending data to the server in kept in the dark.

Also, such a host can release viruses or spam onto the internet which can ruin the entire WLAN-user experience.

Preventing the above two is of absolute utmost importance. It involves the usage of the following Innovated techniques which we have come up with:

• Keep on updating the Wi-Fi's wireless client details. Also, make sure that all ad-hoc mode exploitation or fraudulent Wi-Fi probe requests are disabled on the LAN.

• Configure wireless clients to disable automatic connections to unknown SSIDs

• Attackers can beacon any SSID they wish -- including the SSIDs they overhear being probed for by nearby clients. As such, consider disabling SSID probing in clients that implement this option.

• Many wireless clients can be configured to maintain connection logs -- for example, the Wzcdlg.log and Wzctrace.log files created by the Windows XP Wireless Zero Config service. It may not be practical to routinely monitor these distributed log files, but they can still be useful for spot-check audits and investigation. This coupled with our authentication technique should provide a foolproof WLAN security system.

Though there are quite a few risks associated with our method's usage, as you can see above, they can be easily handled by using various preventive actions. Thus, safe and secure Wi-Fi as well as LAN usage in public areas is not far away.