Many companies expose themselves to attack because they don’t attempt to control the radio signals leaking from their organization. In such cases, a cracker could sit in your parking lot or stand across the street and monitor your network.
Signal Strength
A first step to testing your network is to determine the bounds of your network. You can use sophisticated tools like AiroPeek or a spectrum analyzer, but that would really be overkill. All you need are various software programs that supply link-quality information. Several freeware products run on Linux.
Using Linux Wireless Extension and Wireless Tools
- iwconfig: Changes the basic wireless parameters.
- iwpriv: Changes the Wireless Extensions specific to a driver (private).
- iwlist: Lists addresses, frequencies, and bit rates.
- iwspy: Gets per-node link quality.
Linux Wireless Extensions are powerful additions to your ethical hacking utility belt. Linux Wireless Extensions are available from http://pcmcia-cs.sourceforge.net/ftp/contrib. Look for the entry wireless_tools.27.tar.gz near the bottom of the available documents and programs. Wireless Extensions v.14 is bundled in the 2.4.20 kernel, and v.16 is in the 2.4.21 kernel.
iwlist and the others are great tools. They get their information from the standard kernel interface /proc/net/wireless. But these tools provide only a snapshot in time; they do not provide statistics over time. If you favor the Windows platform, you can use a great tool like NetStumbler.
Network Physical Security Countermeasures
Radio waves travel. This means that crackers don’t need to physically attach to your network. Most likely you have locks on your doors. You might even have an alarm system to protect your physical perimeter. Unfortunately, the radio waves don’t respect your perimeter security measures. Consequently, you need to walk your perimeter whether you’re an individual wanting to protect your access point or a large organization wanting to protect its wired network. While walking the perimeter, monitor the quality of the signal using the tools already discussed. When you find the signal in places where you don’t want it, then turn down the power or move the access point to shape the cell shape.
Other than checking for leakage, you can monitor access points for unauthorized clients.
Checking for unauthorized users
Most access points allow you to view either the DHCP clients or the cache of MAC addresses. This is a good feature for a small network.
You can review the cache from time to time to make sure that only your clients are using the access point. If you have only five clients, but you see six MAC addresses, then it just doesn’t add up. After you figure out the one that doesn’t belong, you can use MAC filtering to block that client.
For a large network, this feature is not very useful. Keeping track of all the MAC addresses in your organization is too difficult. As well, someone running a packet analyzer or sniffer could grab packets and get legitimate MAC addresses. A hacker could then use a MAC address changer like SMAC (www.klcconsulting.net/smac), which allows him to set the hardware or MAC address for any interface, say your wireless adapter or Ethernet network interface card (NIC). Figure 6-1 shows the SMAC interface. All you do is put in the hardware address you want and restart the system (or simply disable and re-enable your NIC). Your interface will have the new hardware address.
An organization can do any number of things to limit its exposure from the escaping radio waves. The controls are not really technical but rather commonsense. For example, you can change your antenna type.
Antenna type
When placing your access point, you must understand the radiation pattern of the antenna type you choose. The type of antenna you choose directly affects your network’s performance, as well as its security.
Before you purchase your antenna, try to obtain a sample radiation pattern. Most antenna vendors supply the specifications for their equipment. You can see a representative radiation pattern and specification for a SuperPass 8 dBi 2.4 GHz antenna at www.superpass.com/SPDG16O.html. You can use the specification to determine how far a signal may travel from a particular antenna before becoming unusable; it’s just a matter of mathematics.
By understanding the radiation pattern of the antenna you choose, you can do RF signal shaping to “directionalize” the RF signals emitted from your access point. You could switch from an omnidirectional antenna to a semidirectional antenna to control the radiation pattern. Remember, not controlling your signal is equivalent to pulling your UTP cable to the parking lot and letting anyone use it.
Four basic types of antennas are commonly used in 802.11 wireless networks:
- Parabolic grid
- Yagi
- Dipole
- Omnidirectional
Each antenna has a unique radiation pattern determined by its construction.
Parabolic grid
- Parabolic grid antennae are primarily used for site-to-site applications.
- A parabolic grid antenna may look like a satellite TV dish or like a wire grid without a solid central core.
- The parabolic antenna is a unidirectional antenna, meaning that it transmits in one specific direction — the direction that you point the antenna.
Yagi
- A yagi antenna focuses the beam, but not as much as the parabolic antenna.
- It’s suitable for site-to-site applications in which the distance does not require a parabolic grid. Like the parabolic antenna, a yagi antenna is unidirectional.
Dipole
- A dipole is a bidirectional antenna, hence the use of the suffix di-.
- You generally use a dipole antenna to support client connections rather than site-to-site applications.
Omnidirectional
An omnidirectional antenna is one that radiates in all directions, losing power as the distance increases.
No comments:
Post a Comment