From: Maarten Van Horenbeeck (maarten@daemon.be)
Date: Sat Dec 20 2003 - 12:58:34 EST
Hi,
Even though the list has now been closed, and this message will only go
through in the beginning of January, I still wanted to respond to this
post about wireless penetration testing/security assessments, as this is a
new, but interesting subject, which has not yet seen a lot of coverage on
this list.
In my humble opinion, wireless security testing should always commence by
charting of the coverage area of the wireless network. Most companies
introduce many security measures on the enforcement points between
wireless and wired networks, which is a good thing, but tend to forget
entirely about the much wider coverage area of their wireless network.
More important here, is that most companies do not realize that in the
specific case of wireless networks, distance equals time. Organisations
are now starting to realize that it is impossible to maintain a near
perfect security posture when growing beyond certain size barriers. In
such cases, the response times to a security incident is of primary
importance. Problem here, induced by the increased use of wireless
networks, is that if an external attacker is located far away from the
actual point of compromise, and is less traceable than e.g. through a
modem connection, it becomes much more difficult to succesfully intervene
in such a compromise within the time allotted.
Keeping this in mind, I would make the first step of each wireless
security test a simple service area calculation exercise. An interesting
project which closely relates to this field can be found at
http://www.ittc.ku.edu/wlan. During most of these tests however, even
seasoned security professionals seem to forget that a coverage area is
highly linked to the network equipment in use. They will tend to
calculate signal strength using regular networking equipment. Alas, there
is a large quality and reception difference between different brands of
network cards and antennas. Instead of calculating signal strength, in
order to have a good view of the coverage/service area of a wireless
network, you need to calculate the field strength; which ofcourse requires
different equipment, and, most important, a different approach. While
obviously less pleasant than driving around the building in your company
car with that nice looking antenna on the roof, the field strength is
actually measured close to the access point antennas, and then
extrapolated onto an area map using mathematical formulas. Using these
techniques, it becomes easy for you to assess which areas of the network
surroundings would be at risk for unauthorized traffic analysis.
Luckily, what you are trying to to communicate to your customer here is
that he should introduce measures which prevent wireless emissions from
leaving his corporate site. Such measures are not directly related to
quality of remote network devices, as they are based on e.g. the
installation of outbound directed jammer devices, the use of equipment in
wall design which will prevent penetration by radio waves. An entire
procedure on how to conduct such testing is very well described in the
OSSTMM document which you mentioned.
Only after the above charting phase has been completed, there is a need to
further assess network vulnerabilities themselves. No doubt you will
notice that there are little "technical" procedures available. This is
very understandable, as the field is still fairly new, and most people
will still (correctly) consider security/penetration testing an art.
Security testers which do not develop their own methodology and technical
"knowledge base", will never be able to deliver the same quality of
service as those who do.
If you are looking for commercial software, which eases up the task of
performing a wireless network assessment, you may be interested in ISS's
Wireless Scanner, which automates much of the work required for a correct
and in-depth assesment. Personally, I usually tend to go for a
combination of tools, which include dstumbler and regular network mapping
tools such as nmap/hping.
Let me know if you need any further information.
Best regards,
Maarten
-- Maarten Van Horenbeeck maarten@daemon.be --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:44 EDT