Wired vs. Wireless Security?

user-pic
Some enterprises contend that if they have all their wired security bases covered, wireless intruders won't be able to access their private network resources. They cite this as a reason not to invest in WIPS.

What's your security argument against this position?

 

4 Comments

Traditional wired security fails to meet the challenge of securing wireless because it fundamentally ignores the monitoring of the airspace from which most attacks are perpetrated. This leads to situations where end-user WiFi-enabled machines and their data can be directly compromised from the outside, leading to data leakage, hijacked connections, and ultimately even to full network breaches that would be missed by wired security methods.  At the heart of the matter, we have to appreciate the fact that WiFi directly touches the outside untrusted world without any of our traditional wired security solutions sitting between "us" and "them". Regardless of your decision on how you deploy WiFi (if at all), your end-user employees and all of their data are immersed in a WiFi world simply due to the fact that every laptop and most phones have WiFi built in. So whether you like it or not, your employees are in a WiFi cloud, and that cloud extends to the outside world. To illustrate this point, think of your wired security measures and the layers that stand between an employee's laptop and the outside world - typically we have firewalls to govern inbound/outbound connections, we have IDS/IPS systems doing deep packet inspection, we may use NAT to ensure that outsiders can't directly "see" our internal end-users and devices. Now compare that to our wireless environment. Anyone sitting in the parking lot immediately sees all of my end-users and who they talk to, sees every wireless device in the area including its security configuration, he is free to capture all traffic in the air, and he can directly attempt to inject traffic, affect end-users and probe vulnerabilities - all without ever touching the wire. To bring this home consider the very real-world scenario below:

  1. Hacker sits in the parking lot or anywhere within WiFi earshot of his high-gain antenna.
  2. He sits back and watches all of your user laptops and chooses one or more to attack
  3. By listening to traffic (probes), he knows all the access points that all of your clients have connected to recently (including their networks at home).
  4. He runs a very rudimentary attack against the target user to break his authorized connection between his laptop and the AP.
  5. He continues to prevent the laptop from reconnecting to the real AP while pretending to be one of the other APs that the user has connected to in the past (that he saw in step 3).
  6. The employee laptop immediately tries to connect to the hacker's fake AP because he can't get connected to his normal connection (the laptop is doing this without the user's knowledge)
  7. The hacker immediately starts scraping SMTP passwords, website login info and any information the user has put into a web form
  8. The hacker, now goes for the mother load and sends the user a webpage that looks like a Windows login dialog box
  9. End user is none the wiser and types in his user name and password
  10. The hacker now has data from the end user and login credentials to the network
  11. He idly waits until everyone has gone home and logs in to the network using the trusted credentials

 

Now this is just a single, simple example, put the point is that the entire battle occurred without a single packet hitting your wired network (well of course until he logs in at the end). It underscores the real point - what happens in your airspace is fundamentally strategic to the security of your enterprise. We need to know exactly what communication is happening in the air between our protected assets and the untrusted outside world. We must see our vulnerabilities in the same way that the outsider hacker sees them. And most importantly, we need the intelligence to automatically recognize the subtle techniques that hackers use compromise and gain access to our networks.

This position simply ignores the insider threat. The easiest way for an insider to bypass all corporate security policies implemented via wired security gateways (firewall, IPS/IDS, URL & Email filtering, etc) is to use wireless connection to bypass all those polices. Simplest example is an insider (i.e. an employee) connecting to a neighbor Wi-Fi network (coffee shop hotspot network) and sending unauthorized information via that connection. Another example is 802.1x based port control (i.e. NAC) cannot block insider Rogue AP threats (i.e. Rogue APs that are set up by employees themselves).

When assessing the need for WIPS, one needs to look at both insider and outsider threats. Introduction of wireless technologies into the enterprise has introduced both infrastructure and end-user related vulnerabilities. Wired security implementations have limitations addressing insider and outsider (i.e. hostile) threats introduced by wireless technologies. Investing in WIPS in fact protects the enterprises' existing investment in wired security gateways.

The introduction of wireless has changed the security paradigm. Wireless networks use the air to transfer information. The air is an uncontrolled and shared medium - it lacks the equivalent physical security of its wired counterpart. Once a user connects a wireless Access Point (AP) into the network, its signals can travel through the walls, ceilings and windows of the building, exposing the traditionally secure physical and link layers. Rogue APs as well as misconfigured APs can expose the entire intranet to a wireless hacker by providing a backdoor entry to the corporate network, bypassing the corporate firewall. These Layer 2 attacks are not detected by traditional Layer 3 firewalls. Several other attacks such as wireless reconnaissance, identity theft, session hijacking or Man-in-the-Middle (MITM) attacks, Denial-of-Service (DoS) attacks, wired side leakage, dictionary based attacks, etc. are Layer 2 wireless specific and “below the radar” for traditional wired security defenses as shown in the following link (http://www.airdefense.net/wips.php).

To make matters worse, wireless laptops are constantly probing for APs to connect to. Hackers can easy lure wireless clients to connect to them and compromise the machine. Hackers can gain access to the intranet by bridging from the wireless to the wired network if both interfaces are enabled.

I agree with the arguments given here, but would sum it up this way: Your wireless airspace is a corporate asset. Ignoring that asset leaves *it* vulnerable, no matter what you've done to defend your wired network. Wireless DoS, unauthorized Ad Hocs, phishing for client devices - these attacks all exploit vulnerabilities in your airspace that can only be mitigated with wireless-aware defenses (like a WIPS). And if you don't at least monitor what's happening in your airspace, you have created a security blind spot where you can't detect unauthorized activity, much less document it for compliance reporting purposes.