|< Day Day Up >|
Security-wise, antennas and amplifiers give an enormous edge to both the skillful attacker and defender. From the attacker's perspective, antennas give distance (resulting in physical stealth), better signal quality (resulting in more data to eavesdrop on and more bandwidth to abuse) and higher power output (essential in Layer 1 DoS and man-in-the-middle attacks). From the defender's perspective, correctly positioned antennas limit the network boundaries and lower the risk of network detection while reducing the space for attackers to maneuver. In addition, three highly directional antennas in conjunction with mobile wireless clients, running signal strength monitoring software, can be used to triangulate the attacker or a rogue wireless device. This is, of course, dependent on the attacker actually transmitting some data. A self-respecting wireless security company should be able to provide the triangulation service as a part of an incident response procedure. Unfortunately, this is not usually the case.
Before we provide suggestions on antenna use in wireless security auditing, a brief overview of antenna theory basics is necessary. If you are an RF expert you can safely skip the intermezzo and move forward.
Sometimes the antennas take rather bizarre shapes (e.g., flag yagi), sometimes they are well-hidden from prying eyes (many of the indoor patch or panel antennas), and sometimes they look like fire alarms (small ceiling-mount omnis). Spotting wireless antennas is an important part of a site survey, which might help you determine the overall shape of the wireless network before turning on your monitoring tools. Pay particular attention to the back and side lobes, such as the ones in yagi's irradiation patterns; the network might span somewhere the system administrator without knowledge of RF basics might never expect it to be.
When selecting your antennas for wireless security audit, a decent omnidirectional and a high-gain, narrow-beamwidth antenna are the minimum. We usually use 12 dBi omni and 19 dBi grid directional, but you should pick the antennas that suit you best. An omnidirectional comes in handy when surveying a site, looking for rogue access points, analyzing traffic from several hosts positioned in different directions, and monitoring the area for unauthorized or suspicious traffic or interference. You should always keep in mind that with a higher gain the "doughnut" becomes flatter, and while using a higher gain omni you might not discover wireless hosts positioned below or above the coverage zone (e.g., hosts in the same building but on different floors). On the other hand, a lower gain omni might not be sufficiently sensitive to pick these hosts up. This is a possible case for using a semidirectional antenna (we use 15 dBi yagis). Alternatively, you can do a thorough scan with a narrow beamwidth directional, but remember both horizontal and vertical beamwidth planes! When it comes to the use of directional antennas, there are several obvious advantages:
There is considerable information (even in the popular media) on making your own antennas from Pringles tubes, empty tins, and so forth. Although it is a cool hardware hack and worth trying in your free time, we do not recommend using these antennas in serious commercial wireless penetration testing. Their beamwidth, irradiation pattern, gain, and some other important criteria, such as voltage standing wave ratio (VSWR; should be approximately 1.5:1) are rarely verified and the performance can be unreliable. Of course, there are cases when homemade antennas beat the commercially built ones by a large margin. Nevertheless, properly quantifying the do-it-yourself antennas parameters just listed is difficult and expensive, which makes defining and documenting your site survey results difficult. At the same time, it is easy to get a decent 2.4–2.5 or 5.15–5.85 GHz antenna for a very reasonable price (we recommend http://www.fab-corp.com, but there are many other affordable online WLAN antenna stores).
|< Day Day Up >|