After all the attack lets get some defence going :)

Location of the APs

APs should be topologically located outside the perimeter firewalls. The wireless network segments should be treated with the same suspicion as that for the public Internet. Additionally, it is important to use directional antennae and physically locate them in such a way that the radio-coverage volume is within the control of the corporation or home.

Proper Configuration

Statistics collected by www.worldwidewardrive.org show a distressingly large percentage of APs left configured with the defaults.

Before a wireless device is connected to the rest of the existing network, proper configuration of the wireless device is necessary. The APs come with a default SSID, such as “Default SSID”, “WLAN”, “Wireless”, “Compaq”, “intel”, and “linksys”. The default passwords for the administrator accounts that configure the AP via a web browser or SNMP are well known for all manufacturers. A proper configuration should change these to difficult to predict values.

Note that the SSID serves as a simple handle, not as a password, for a wireless network. Unless the default SSID on the AP and stations is changed, SSID broadcasts are disabled, MAC address filtering is enabled, WEP enabled, an attacker can use the wireless LAN resources without even sniffing.

The configuration via web browsing (HTTP) is provided by a simplistic web server built into an AP. Often this configuration interface is provided via both wired connections and wireless connections. The web server embedded in a typical AP does not contain secure HTTP, so the password that the administrator submits to the AP can be sniffed. Web based configuration via wireless connections should be disabled.

WEP is disabled in some organization because the throughput is then higher. Enabling WEP encryption makes it necessary for the attacker intending to WEP-crack to have to sniff a large number of frames. The higher the number of bits in the encryption the larger the number of frames that must be collected is. The physical presence in the radio range of the equipment for long periods increases the odds of his equipment being detected. WEP should be enabled.

The IEEE 802.11 does not describe an automated way of distributing the shared-secret keys. In large installations, the manual distribution of keys every time they are changed is expensive. Nevertheless, the WEP encryption keys should be changed periodically.

Secure Protocols

If the WEP is disabled, or after the WEP is cracked, the attacker can capture all TCP/IP packets by radio-silent sniffing for later analyses. All the wired network attacks are possible. There are real-time tools that analyze and interpret the TCP/IP data as they arrive.

All protocols that send passwords and data in the clear must be avoided. This includes the rlogin family, telnet, and POP3. Instead one should use SSH and VPN.

In general, when a wireless segment is involved, one should use end-to-end encryption at the application level in addition to enabling WEP.

Wireless IDS

A wireless intrusion detection system (WIDS) is often a self-contained computer system with specialized hardware and software to detect anomalous behavior. The underlying software techniques are the same hacking techniques described above. The special wireless hardware is more capable than the commodity wireless card, including the RF monitor mode, detection of interference, and keeping track of signal-to-noise ratios. It also includes GPS equipment so that rogue clients and APs can be located. A WIDS includes one or more listening devices that collect MAC addresses, SSIDs, features enabled on the stations, transmit speeds, current channel, encryption status, beacon interval, etc. Its computing engine will be powerful enough that it can dissect frames and WEP-decrypt into IP and TCP components. These can be fed into TCP/IP related intrusion detection systems.

Unknown MAC addresses are detected by maintaining a registry of MAC addresses of known stations and APs. Frequently, a WIDS can detect spoofed known MAC addresses because the attacker could not control the firmware of the wireless card to insert the appropriate sequence numbers into the frame.

Wireless Auditing

Periodically, every wireless network should be audited. Several audit firms provide this service for a fee. A security audit begins with a well-established security policy. A policy for wireless networks should include a description of the geographical volume of coverage. The main goal of an audit is to verify that there are no violations of the policy. To this end, the typical auditor employs the tools and techniques of an attacker.

Newer Standards and Protocols

Many improvements in wireless network technology are proposed through proprietary channels (e.g., Cisco Lightweight Extensible Authentication Protocol) as well as through the IEEE. The new IEEE 802.11i (ratified in June 2004) enhances the current 802.11 standard to provide improvements in security. These include Port Based Access Control for authentication, Temporal Key Integrity Protocol for dynamic changing of encryption keys, and Wireless Robust Authentication protocol. An interim solution proposed by vendors is the Wi-Fi Protected Access (WPA), a subset of 802.11i, is only now becoming available in some products. Time will tell if these can withstand future attacks.