Previous Section  < Day Day Up >  Next Section

Target Yourself: Penetration Testing as Your First Line of Defense

It is hard to overemphasize the importance of penetration testing in the overall information security structure and the value of viewing your network through the cracker's eyes prior to further hardening procedures. There are a variety of issues specific to penetration testing on wireless networks.

First of all, the penetration tester should be very familiar with RF theory and specific RF security problems (i.e., signal leak and detectability, legal regulations pertaining to the transmitter power output, and characteristics of the RF hardware involved). Watch out for the "RF foundations" inserts through the book; they will be helpful. Layer 1 security is rarely an issue on wired networks, but it should always be investigated first on wireless nets. The initial stage of penetration testing and security auditing on 802.11 LANs should be a proper wireless site survey: finding where the signal from the audited network can be received, how clear the signal is (by looking at the signal-to-noise ratio (SNR)), and how fast the link is in different parts of the network coverage zone. It must also discover neighboring wireless networks and identify other possible sources of interference.

The site survey serves four major security-related aims:

  1. Finding out where the attackers can physically position themselves.

  2. Detecting rogue access points and neighbor networks (a possible source of opportunistic or even accidental attacks).

  3. Baselining the interference sources to detect abnormal levels of interference in the future, such as the interference intentionally created by a jamming device.

  4. Distinguishing network design and configuration problems from security-related issues.

This last point is of particular significance because air is a less reliable medium than copper and fiber and a security-keen administrator can easily confuse network misconfigurations with security violations, in particular, DoS attacks. For example, a host on wireless network might be unable to discover another wireless host that roamed into a "blind spot" and keeps sending SYN packets. Sensitive IDS alarms go off indicating a SYN flood! At the same time the disappeared host stops sending logs to the syslog server. The security system administrator goes to Defcon 1, but five minutes later everything returns to normal (the roaming user has left the "blind spot"). Another example is an "abnormal" amount of packet fragments coming from the WLAN side. Of course it could be a fragmented nmap or hping2 scan by an intruder or an overly curious user, but most likely it has something to do with a much larger default maximum transmission unit (MTU) size on a 802.11 LAN (2312 bits on 802.11 vs. approximately 1500 bits on 802.3/Ethernet taking 802.1q/ISL into account). Whereas for a wireless networker these issues are obvious, for a system administrator not familiar with 802.11 operations they can be a pain in the neck, security and otherwise.

After surveying the network, the next stage of penetration testing is dumping the traffic for analysis and associating with the audited LAN. However, being able to associate to the WLAN is not the end of a penetration test on a wireless network, as many security consultants would have you believe. In fact, it is just a beginning. If penetration testing is looking at the network through the cracker's eyes, then please do so! Crackers do not attack wireless networks to associate and be happy: They collect and crack passwords, attempt to gain root or administrator privileges on all vulnerable hosts in a range, find a gateway to the Internet, and connect to external hosts; finally they hide their tracks. Unless the penetration test demonstrated how possible everything just listed is, it has not reached its goal. Later chapters in this book are devoted to precisely this—describing proper penetration testing procedures on 802.11 LANs in detail and providing the instructions for working with the tools included on the accompanying Web site ( Of course new versions of the tools inevitably come out frequently and completely new security software utilities are getting released. At the same time, the process from submitting the book proposition to seeing the work on the shelves is very lengthy. Nevertheless, we aim to provide the latest versions of everything you need to audit 802.11 LAN security and, at least, what we have described in the book should give you a good direction on where to look for the new releases and tools and what they are supposed to do. Besides, the accompanying Web site will be continuously maintained and posted with all recent developments in wireless security and new software releases. Visit it regularly and you won't be disappointed!

    Previous Section  < Day Day Up >  Next Section