Wireless LAN Monitoring Reveals Risks and Risky Behavior

An activity-monitoring experiment in a confined, high-usage WLAN environment shows surprisingly few users take security precautions when accessing e-mail.

To analyze the effect of combining large numbers of wireless access points (APs) with many wireless users, all in a confined space, security provider AirDefense Inc. decided to monitor all wireless LAN (WLAN) activity at the recent 802.11 Planet Expo in Boston.

Of course, the effects of unsecured WLAN connections are well known. "Without a secure connection to an enterprise e-mail account, a wireless station exposes the e-mail account name and password to anyone passively sniffing the WLAN traffic," notes Richard Rushing, AirDefense’s vice president of technical services. Many corporate wireless LANs are still nascent, however, not supporting large numbers of users. So what happens in a confined, heavy duty usage environment?

AirDefense set up its server appliance, plus some distributed sensors, to study how the 523 user stations at the conference connected to the 141 WLAN access points. Based on its research over two days, AirDefense identified four key issues: rogue WLANs, wireless attacks, security vulnerabilities and performance degradation.

It was no surprise that the most popular wireless activity at the conference was connecting to corporate e-mail accounts, instant messaging, and surfing the Web. However, roughly 95 percent of access points spent “excessive to massively excessive” bandwidth just contending for wireless access rights, a sub-optimal showing and use of resources. Those same APs could have been better placed to ensure more even coverage. One AP had 339 user stations connecting to it, another just 12.

Security was lax, to say the least. While checking e-mail topped the list of activities, few attendees (3 percent the first day, 12 percent the second day) did so via a virtual private network (VPN)—or used any other encryption, for that matter.

The 74 user stations scattered throughout the conference for anyone to use were also a security threat, with SSIDs—which automatically connect stations to APs at full speed—still set at their well-known default settings.

There was also a variety of suspicious and malicious activity at the conference, including 149 network scans from tools such as Netstumbler, Wellenreiter, and commercial scanners; 105 denial-of-service attacks, 84 identity thefts when user stations successfully spoofed MAC addresses of other stations or access points; and eight instances of malicious stations searching for known exploits in access points. AirDefense also discovered five previously undocumented attacks.

What does this mean for companies currently or planning to deploy WLANs? “With 24x7, real-time vigilance of all wireless LAN activity, enterprises are able to identify security vulnerabilities and network policy violations and can then take action to correct the problem,” says Jay Chaudhry, chairman and CEO of AirDefense.

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.