Auditing Wireless Network

Security
Wireless Security Research Project

Joshua D Walderbach
4/3/2011

WiFi (Wireless Fidelity) is becoming an extremely popular medium choice for SMB
(Small to Medium Business) networks due to the low cost and ease of installation.
While WLAN provides greater mobility and flexibility, it also poses several security risks
that are not faced in a wired network (Lim, 2003). Wireless security is a complex field.
Even small flaws in implementation can have significant ramifications for the resulting
security of the WLAN (Wireless Local Area Network) solution. Well-trained professionals
can help mitigate this risk (Frankel, 2007). Security professions can audit WiFi
implementations to ensure that ease of use is not at the expense of security. These
security professionals have many tools at their disposal including "Free" Open source
and commercial products. The intention of this paper is to show how open source tools
can be used to properly audit WiFi network implementations.
AuditingWirelessNetworkSecurity Walderbach,Joshua

Outline
Introduction..............................................................................................................................................3
Best Practices.........................................................................................................................................3
Access Control....................................................................................................................................4
Administration.....................................................................................................................................4
Audit Trails and Logging...................................................................................................................5
Availability............................................................................................................................................5
Client security.....................................................................................................................................6
Confidentiality and Integrity..............................................................................................................6
Key Management...............................................................................................................................6
Physical Security................................................................................................................................7
Policies & Procedures.......................................................................................................................8
User Authentication............................................................................................................................9
User Awareness.................................................................................................................................9
Auditing Guide........................................................................................................................................9
Phase I Planning/Info Gathering.................................................................................................10
Phase II Radio Survey.................................................................................................................10
Phase III Physical Survey............................................................................................................10
Phase IV Scanning, Enumerating, Exploiting...........................................................................11
Phase V Security Recommendations........................................................................................11
Tools.......................................................................................................................................................11
Conclusion.............................................................................................................................................12
Acronyms...............................................................................................................................................13
Definitions..............................................................................................................................................14
References............................................................................................................................................16

Page2of16

AuditingWirelessNetworkSecurity Walderbach,Joshua

Introduction
It is essential to ensure that the deployment of WLAN will not compromise the
confidentiality, integrity and availability of information and operations (Lim, 2003). A
WiFi security audit aims to identify issues and establish a baseline for existing 802.11
networks. A WiFi security audit is performed in five distinct phases, which are the basis
of this paper. The first phase is Planning/Info Gathering is where details of the
implementation and business are gathered and reviewed. The next phase is Radio
Survey where a site-survey for radio occurs at the business. Open source tools are
used in this phase to identify RF signal details. The next phase is Physical Survey
where a site-survey of the physical aspects of the wireless configuration occurs at the
business. A physical site-survey is performed manually to identify vulnerabilities in the
physical locations of APs (Access Points) and antennas. The next phase is Scanning,
Enumerating, and Exploiting. In this phase open source tools are used to identify
potential security vulnerabilities and possibly exploit these vulnerabilities if applicable.
The last phase, Security Recommendations, is where identified vulnerabilities are
documented along with remediation recommendations and presented to the business.
However, before an audit can be conducted, the security professional must get an
understanding of the potential threats to the wireless implementation.
Wireless networks are vulnerable to many of the same threats as conventional
wired networks like data tampering, eavesdropping, and masquerading. However
attackers can penetrate wireless network security to gain direct access to local network
resources without physical access to the network. Wireless networks are difficult to
secure because they do not have a defined perimeter and radio signals can extend
beyond the intended perimeter thus leaking through the physical boundaries of a
business. Unlike wired networks, unauthorized monitoring and denial of service attacks
can be performed without a physical wire connection (FFIEC, 2006). Once they have
accessed systems, intruders can launch denial of service attacks, steal identities,
violate the privacy of legitimate users, insert viruses or malicious code, and disable
operations (Radack, 2007).
The business risks of poorly implemented wireless systems include:
Compromise of customer information and transactions over the wireless network
(Zamorski, 2002)
Loss of customer confidence (Zamorski, 2002)
Financial loss due to the execution of unauthorized transactions (Zamorski,
2002)
Negative public opinion due to inadequate management of the strategic,
operational, and compliance risks outlined above (Dollar, 2003)

Business can avoid these types of risks by following best practices during their
implementation.

Best Practices
WLAN security should be incorporated throughout the entire life cycle of WLAN
solutions involving everything from policy to operations (Frankel, 2007). The following
best practices are what security profession should be looking for during their audit of
wireless implementations.

Page3of16

AuditingWirelessNetworkSecurity Walderbach,Joshua

Access Control
The access point should be configured to allow only authorized wireless stations
to associate with the WLAN. Only authorized wireless stations, which have the
same network name or Extended Service Set ID (ESSID), authorized Media
Access Control (MAC) address and WEP Shared Key, should be allowed to
access the WLAN (Lim, 2003).
The access point should be configured to drop any unencrypted network traffic
(Lim, 2003).
Wireless networks should be treated as untrusted networks, allowing access
through protective devices similar to those used to shield the internal network
from the Internet environment (FFIEC, 2006).
Access control mechanisms such as firewalls should be implemented to
segregate the WLAN from the internal wired network. The WLAN should be
deployed in a different network segment, which is separate from the internal
wired network (Lim, 2003).
Create a dedicated Virtual LAN (VLAN) to support AP connections to the
distribution system (e.g., enterprise wired network). Dedicated VLANs to support
wireless connections to the enterprise network segregates wireless traffic from
other network communications. Dedicated VLANs facilitate the use of network
access control lists, which identify the protocols and services that are allowed to
pass from WLANs to the DS (Frankel, 2007).
Terminate associations after a configurable time period. A session termination
feature in the AP would cause STAs (Stations) to re-authenticate if network
access is still needed after a fixed period of idleness or connectivity (Frankel,
2007).
The LAN segments that connect to wireless APs should connect to a corporate
Virtual Private Network (VPN) gateway, but not directly to the production
network. Eliminating APs from the production network minimizes the risk of
attack techniques such as packet sniffing (Symantec, 2002).
Administration
Administrators can use authorization tables to selectively enable LAN
connections only to devices with approved NIC (Network Interface Card)
addresses. Each NIC has a unique address that can be added to a table of
authorized users; most vendors APs support Media Access Control (MAC)
restrictions through the use of authorization tables. As a result, instead of editing
each AP individually, APs can be pointed to a centrally managed database
(Symantec, 2002).
The default settings of most commercially available network equipment are public
knowledge and should be changed prior to putting devices into service. This
includes default values for the administrative login id and password (Fisher,
2011). The default SSID (Service Set Identifier) of each access point should be
changed. This is to prevent any wireless clients from connecting to the access
point. If possible, SSID should not be broadcasted (Lim, 2003). The default
SNMP (Simple Network Management Protocol) community string should be

Page4of16

AuditingWirelessNetworkSecurity Walderbach,Joshua

changed if the access point has SNMP agent running on it. This is to prevent an
attacker from reading or writing to the access point (Lim, 2003).
The built-in COM ports of the access point should be disabled or password
protected to prevent any unauthorized access to the access points (Lim, 2003).
Disable all insecure and unused management protocols on the APs, and
configure remaining management protocols for least privilege. This eliminates
potential methods that an adversary can use when attempting to compromise an
AP (Frankel, 2007). Older versions of SNMP are considered insecure. Another
protocol that lacks security is HTTP (Hypertext Transfer Text Protocol) which is
commonly used to access the WAPs Administrative Console. This, too, should
be disabled on your WAPs in favor of HTTPS (HTTP Secure) if it is available
(Fisher, 2011).
Procure APs and Ass (Authentication Server) that support Network Time Protocol
(NTP). NTP allows distributed devices to synchronize timestamps, which is
critical to effective log analysis because it allows audit personnel to establish
accurate event sequences across multiple devices (Frankel, 2007).
Administration of access points should be done via the wired network or locally
via the access points built-in COM ports (Lim, 2003). Use authentication and
data encryption for administrative sessions (Frankel, 2007).
Test and deploy software patches and upgrades on a regular basis (Frankel,
2007).
Periodic scanning on the WLAN should be conducted to detect the presence of
rogue access points, unauthorized ports/services or any security vulnerabilities in
the network (Lim, 2003).
Audit Trails and Logging
Deploy wireless intrusion detection systems to detect suspicious or unauthorized
activity. Intrusion detection systems deployed on the wireless network can detect
and respond to potential malicious activities, including unauthorized WLAN
vulnerability scanning and the installation of rogue APs (Frankel, 2007).
Any exceptions or abnormal network activities should be logged and alerts sent
to the administrators, as per the organizations security incident response plan
(Lim, 2003).
Both APs and ASs should send event data to a secure audit server in real time
so that the integrity of previously captured audit data is protected even when the
AP or AS is compromised (Frankel, 2007).
Procure an auditing tool to automate the review of AP and AS audit data.
(Frankel, 2007).
Availability
The WLAN is vulnerable to denial of service attacks; it should not be used as the
only means to access the organizations network and systems (Lim, 2003).

Page5of16

AuditingWirelessNetworkSecurity Walderbach,Joshua

Client security
Access control and intrusion detection mechanisms should be installed on the
wireless station where possible to prevent and detect any unauthorized access to
the wireless station over the WLAN (Lim, 2003) .
Personal firewalls can protect individual devices from attacks launched via the
air connection or from the Internet. IT administrators should disable all unused
features of new client devices (e.g., shared drive access) and reconfigure default
settings according to the organizations particular needs (Symantec, 2002).
Disable Automatic Connect on Clients can reduce the risk potential for
transparently establishing a connection with a hostile WAP and also eavesdrops
on your network communications (Fisher, 2011) .
Software programs that can be used to configure the wireless station as an
access point should be removed to minimize set-up of rogue access points (Lim,
2003) .
The users should not be allowed to install or run any network sniffer on their PCs
without first seeking appropriate approval (Lim, 2003).
The wireless station should not be configured for network file sharing without any
protection to prevent any unauthorized access to local files (Lim, 2003).
Confidentiality and Integrity
Information should not be transmitted unprotected over the WLAN. The
information should be encrypted prior to transmission over the WLAN so as to
protect its confidentiality and integrity (Lim, 2003).
Robust cryptography is essential to protect data transmitted over the radio
channel (Radack, 2007).
Disable WEP (Wired Equivalent Privacy) and TKIP (Temporal Key Integrity
Protocol) in the configuration of each AP. If WEP remains enabled, then STAs
might be able to negotiate WEP for authentication and encapsulation, which
would negate RSN protections (Frankel, 2007).
Adopt strong encryption methods that encompass end-to-end encryption of
information as it passes throughout the wireless network (Zamorski, 2002).
Use WPA2 (Wi-Fi Protected Access) certified STA and AP products only
(Frankel, 2007).
Establish an IPsec connection (or equivalent protection mechanism) between
each AP and its associated AS or ASs (Frankel, 2007).
Key Management
The symmetric encryption keys, (e.g. the WEP keys stored in the access points
and wireless stations), should be protected from unauthorized access (Lim,
2003).
Strong symmetric encryption, (e.g. using 128-bit key length), should be used to
protect the information that is transmitted over the WLAN (Lim, 2003).
The encryption keys should be changed periodically, (e.g. once every 90 days)
(Lim, 2003).

Page6of16

AuditingWirelessNetworkSecurity Walderbach,Joshua

The symmetric encryption keys should be protected during key distribution to the
users. The new keys should be sent to the users either in encrypted form or
through other secure means to prevent unauthorized access to the keys during
transit (Lim, 2003).
Wherever possible, the symmetric encryption keys should be loaded directly into
the access point without traversing any intermediary networks which could be
sniffed by unauthorized personnel. If direct key loading is not possible, the
symmetric encryption keys should be securely loaded into the access point via
the wired network without going through the WLAN (Lim, 2003).
AES (Advanced Encryption Standard) key wrap with 128-bit HMAC-SHA-1 to
protect transient keys during the 4-Way and Group Key Handshakes. AES
provides assurance of key confidentiality, while HMAC-SHA-1 provides
assurance of key integrity (Frankel, 2007)
The access to WLAN key distribution program should be controlled and limited to
the administrators only (Lim, 2003).
Configure a maximum GMK (Group Master Key) lifetime on the AP, preferably
not to exceed 24 hours (Frankel, 2007).
Configure a maximum PMK (Pairwise Master Key) lifetime on the AS, preferably
not to exceed eight hours (Frankel, 2007).
If an organization uses PSKs (Pre-shared Key) to establish RSN associations,
replace them frequently, preferably at least every 30 days (Frankel, 2007).
If PSKs are used to establish RSN associations, ensure that no key is shared
across multiple STAs (Frankel, 2007).
Physical Security
Physical controls should be implemented to protect wireless systems and
information (Radack, 2007).
Failure to control physical access to WAPs might allow an unauthorized
individual to reset a device, login with administrative access and reconfigure the
device to their liking (Fisher, 2011).
When placing wireless APs for strategic coverage, consider signal bleed into
uncontrolled areas where transmissions can be intercepted (Symantec, 2002).
Proper placement of each WAP will facilitate performance and facilitate coverage
tuning. Generally, WAPs should be located in relatively close proximity to the
center of its desired coverage area at an elevated position (Fisher, 2011). In
addition, APs should be located in areas that can be physically secured to
prevent unauthorized tampering (Frankel, 2007).
The access points should be physically located away from external sources of
electromagnetic interference (Lim, 2003).
The access point should be kept in a weatherproof container if they are located in
the open area (Lim, 2003).
The wireless station and its WLAN adaptor card should not be physically
exposed to prevent theft and unauthorized access to the WLAN (Lim, 2003).

Page7of16

AuditingWirelessNetworkSecurity Walderbach,Joshua

Policies & Procedures

The cornerstone of an effective wireless LAN strategy involves defining,
standardizing, documenting, disseminating, and enforcing wireless LAN security
policies and practices. These include specifying the make, model, configuration,
and settings of the wireless LAN equipment authorized for use, as well as
documenting and managing the APs and connected network infrastructure.
Employee education increases awareness of security risks (Symantec, 2002).
Perform a risk assessment to understand WLAN threats, the likelihood that those
threats will be realized, and the potential impact of realized threats on the value
of the organizations assets (Frankel, 2007).
Adopt proven security policies and procedures to address the security
weaknesses of the wireless environment (Zamorski, 2002).
The information system security policy should directly address the use of 802.11,
Bluetooth, and other wireless technologies (Radack, 2007).
Establish a WLAN usage policy that specifies which user communities are
authorized to use WLAN technology and for what purposes (Frankel, 2007)
Establish or enhance operating system and application security configuration
standards for laptops and other potential STAs to account for WLAN risks
(Frankel, 2007). The configuration standard should require personal firewall and
anti-virus software for all STA platforms for which such security products are
commercially available (Frankel, 2007). Remote connectivity to the devices (e.g.,
file sharing, open network ports) should be limited where feasible (Frankel,
2007). Label and keep inventories of the fielded wireless and handheld devices
(Radack, 2007).
Establish or enhance operating system and application security configuration
standards for the AS (Frankel, 2007) The ASs should be among the most secure
servers in the enterprise because a breach of an AS could allow an adversary to
access the network without a physical connection, perhaps even beyond the
organizations physical perimeter and Inventory APs (Frankel, 2007).
When disposing of a WLAN component, remove all sensitive configuration
information, including pre-shared keys and passwords (Frankel, 2007).
When disposing of a WLAN component, ensure that its audit records are retained
as needed to meet legal or other requirements (Frankel, 2007).
Develop wireless security audit processes and procedures that identify the types
of security relevant events that should be captured, and determine how audit
records will be securely stored for subsequent analysis (Frankel, 2007).
Perform ongoing, randomly timed security audits to monitor and track wireless
and handheld devices (Radack, 2007).
Perform independent security testing of wireless network and application
implementations (Zamorski, 2002).
Configure/change control and management practices should ensure that all
equipment has the latest software release, including security feature
enhancements and patches for discovered vulnerabilities (Radack, 2007).
Designate an individual or group to track WLAN product vulnerabilities and
wireless security trends (Frankel, 2007). Standardized configurations should be

Page8of16

AuditingWirelessNetworkSecurity Walderbach,Joshua

employed to reflect the security policy, and to ensure change of default values
and consistency of operations (Radack, 2007).
User Authentication
Use strong authentication and configuration controls at the access point and on
all clients (FFIEC, 2006). Ensure that all passwords are changed regularly
(Frankel, 2007).
Adopt authentication protocols for customers using wireless applications that are
separate and distinct from those provided by the wireless network operator
(Zamorski, 2002).
In addition to authenticating clients to WAPs and WAPs to clients, users
attempting to access network resources should be authenticated using the
companys existing Authentication Services (Fisher, 2011).
Select an appropriate EAP (Extensible Authentication Protocol) method or EAP
method sequence for WLAN authentication, and design any necessary
integration with PKI technology (Frankel, 2007).
User Awareness
Educate users about the risks of WLAN technology and how to mitigate those
risks. Security awareness and training helps users to establish good security
practices to prevent inadvertent or malicious intrusions into an organizations
information systems (Frankel, 2007).
Where it is not required, the users should not be allowed to set up their wireless
stations in ad-hoc mode and communicate with each other without going through
the access point (Lim, 2003).
The user should power down the wireless station when it is not being used for a
long period of time (Lim, 2003).
The users wireless station should not have concurrent direct connection to any
untrusted network, (e.g. the Internet), when the wireless station is connected to
the internal wired network (Lim, 2003).
The user should be required to report the loss of his wireless station and WLAN
adaptor card immediately so that prompt action can be taken to prevent any
unauthorized access via the lost wireless equipment (Lim, 2003).
The WLAN adaptor card should be returned to the organization upon staff
resignation or termination to prevent the user from gaining unauthorized access
to the WLAN (Lim, 2003).

Now that a set of wireless security best practices have been defied the phases of the
security audit can be described.

Auditing Guide
A WiFi security audit is performed in five distinct phases Planning/Info Gathering,
Radio Survey, Physical Survey, Scanning/Enumerating/Exploiting, and Security
Recommendations. The details of these phases are as follows:

Page9of16

AuditingWirelessNetworkSecurity Walderbach,Joshua

Phase I Planning/Info Gathering

The Planning/Info Gathering phase is where the details of the implementation
and business are gathered and reviewed. The following information needs to be
gathered prior to an on-site visit:
Physical Details about the site
o Building Blueprints
o Building Structure
o Topographical Map
Policies and Procedures
o Information Security Policy
o Remote Access Policy
o Acceptable Use Policy
o Mobile Device Policy
o WLAN Administration Policies and Procedures
o WLAN Security Policies and Procedures
o User Education Awareness Training Policy and Procedures
o Network Topology Map
o Configuration/settings for the WLAN equipment
List of laptops/desktops and their base configurations
List of APs and their configuration
Phase II Radio Survey
The Radio Survey is where a site-survey for the radio occurs at the business.
Open source tools are used in this phase to identify RF signal details. The following
information needs to be collected during the onsite visit:
Evaluation of existing 802.11 networks
o Interference from neighboring WiFi networks
o Spectrum Competition from proprietary 2.4GHz transmissions like
cordless phones
Evaluation of AP locations
o RF coverage in and out of buildings
o AP power levels
Survey for existing rogue access points
Phase III Physical Survey
The Physical Survey phase is where a site-survey of the physical aspects of the
wireless configuration occurs at the business. A physical site-survey is performed
manually to identify vulnerabilities in the physical locations of APs and antennas. The
following information needs to be collected during the onsite visit:
Physical building security survey: access control, user identification (Lafargue,
2003)
Wireless Device Locations
o Physical AP enclosures
o Antenna locations
o Employee access
o Customer access

Page10of16

AuditingWirelessNetworkSecurity Walderbach,Joshua

Phase IV Scanning, Enumerating, Exploiting

In the Scanning, Enumerating, and Exploiting phase, open source tools are used to
identify potential security vulnerabilities and possible exploitation of these vulnerabilities.
The following information needs to be collected or tested during this phase:
Passive Scanning the WLAN using Packet Analyzers
o AP and client detection and identification: WEP, SSID, manufacturer,
configuration (Lafargue, 2003).
o Geographical tagging of APs
o Power level and signal strength mapping
o AP coverage mapping
o Packet logging for analysis
Enumeration of APs using vulnerability assessment tools
Exploitation of vulnerabilities
o Attacking 802.11 Networks using WEP (Cache, 2007)
o Attacking WPA-protected 802.11 Networks (Cache, 2007)
Phase V Security Recommendations
The Security Recommendations phase is where all documentation of potential
vulnerabilities along with remediation recommendations are presented to the business.
The following documentation should be presented to the business:
WiFi architecture recommendations
WiFi configuration recommendations
Radio configuration of all APs
Radio survey report
Map of location AP locations and site coverage map
Physical Security Report
Vulnerability Assessment and Remediation Recommendations

Tools
There are a lot of different software applications that can be used to audit wireless
network security. However the following software applications are in my preferred Linux
wireless security tool set:
AirCrack-ng (http://www.aircrack-ng.org): AirCrack-ng is an 802.11 WEP and
WPA-PSK keys cracking program that can recover keys once enough data
packets have been captured. It implements the standard FMS attack along with
some optimizations like KoreK attacks, as well as the all-new PTW attack, thus
making the attack much faster compared to other WEP cracking tools.
AirDeCap (http://wirelessdefence.org/Contents/Aircrack_airdecap.htm):
AirDeCap is a software tool included with AirCrack which is used to decrypt
packet captures (Cache, 2007)
Airtraf (http://www.elixar.com/): AirTraf is a wireless sniffer that can detect and
determine exactly what is being transmitted over 802.11 wireless networks. This
open-source program tracks and identifies legitimate and rogue access points,
keeps performance statistics on a by-user and by-protocol basis, measures the
signal strength of network components, and more.

Page11of16

AuditingWirelessNetworkSecurity Walderbach,Joshua

Asleap (http://www.wirelessdefence.org/Contents/AsleapMain.htm): Asleap is a

software tool to crack LEAP (Lightweight Extensible Authentication Protocol)
(Cache, 2007)
BackTrack (http://www.backtrack-linux.org): BackTrack is a Linux-based
penetration testing arsenal that aids security professionals in the ability to
perform assessments in a purely native environment dedicated to hacking.
Cowpatty (http://www.wirelessdefence.org/Contents/coWPAttyMain.htm):
Cowpatty is a Linux tool used for dictionary attacks on WPA-PSK (Cache, 2007)
GPSD (http://www.kraftvoll.at/software/): GPS Drive is a GPS mapping system
that can download maps from the internet and use them to draw the location of
Access Points (Lafargue, 2003). Kismet relies on GPSD to talk to GPS hardware.
(Cache, 2007)
JC-WEPCrack (http://www.802.11mercenary.net/jc-wepcrack/): JC-WEPCrack is
a Linux distributed WEP brute forcer (Cache, 2007).
Kismet (http://www.kismetwireless.net): Kismet is an 802.11 wireless network
sniffer that separates and identifies different wireless networks in the area.
Wellenreiter (http://wellenreiter.sourceforge.net): Wellenreiter is a Linux wireless
scanner with a GTK-based interface that resembles NetSumber (Cache, 2007).
WireShark (http://www.wireshark.org): WireShark is a powerful protocol analyzer
for Linux which supports the 802.11 protocol.

Conclusion
Wireless networks are very vulnerable to attacks; attackers exploiting wireless
implementation vulnerabilities could gain direct access to local business network
resources giving them the ability to steal customer or business information, propagate
viruses, and disable operations through DoS attacks. Wireless networks are difficult to
secure because they do not have a defined perimeter and radio signals can extend
beyond the intended perimeter thus leaking through the physical boundaries of a
business. Businesses risk the compromise of their customer information, financial
losses, and a negative public image if their WLAN is not properly secured. Businesses
can avoid these types of risks by following best practices during their implementation. A
WiFi security audit aims to identify issues and establish a baseline for existing 802.11
networks to ensure that the WLAN will not compromise the confidentiality, integrity, and
availability of information on a businesss network. A security professional following the
guidance in the paper could adequately perform a wireless security audit for a small to
medium sized business.

Page12of16

AuditingWirelessNetworkSecurity Walderbach,Joshua

Acronyms
AES: Advanced Encryption Standard (Frankel, 2007)
AP: Access Point (Frankel, 2007)
AS: Authentication Server (Frankel, 2007)
EAP: Extensible Authentication Protocol (Frankel, 2007)
ESSID: Extended Service Set ID (Lim, 2003)
GMK: Group Master Key (Frankel, 2007)
HTTP: Hypertext Transfer Text Protocol (Frankel, 2007)
LAN: Local Area Network (Frankel, 2007)
LEAP: Lightweight Extensible Authentication Protocol (Cache, 2007)
MAC: Media Access Control (Frankel, 2007)
NIC: Network Interface Card (Symantec, 2002)
NTP: Network Time Protocol (Frankel, 2007)
PMK: Pairwise Master Key (Frankel, 2007)
PSK: Pre-shared Key (Frankel, 2007)
SMB: Small to Medium Business (Lim, 2003)
SNMP: Simple Network Management Protocol (Frankel, 2007)
SSID: Service Set Identifier (Frankel, 2007)
STA: Station (Frankel, 2007)
TKIP: Temporal Key Integrity Protocol (Frankel, 2007)
VLAN: Virtual Local Area Network (Frankel, 2007)
VPN: Virtual Private Network (Frankel, 2007)
WEP: Wired Equivalent Privacy (Frankel, 2007)
WiFi: Wireless Fidelity (Frankel, 2007)
WLAN: Wireless Local Area Network (Frankel, 2007)
WPA: Wi-Fi Protected Access (Frankel, 2007)

Page13of16

AuditingWirelessNetworkSecurity Walderbach,Joshua

Definitions
Data Tampering: Deleting, replaying, or modifying information transmitted over the
WLAN resulting in a loss of data integrity and availability. (Lim, 2003)

Denial of Service (DoS): Jamming the frequency channel that is used for wireless
data transmission using a powerful signal generator, microwave, or massive network
broadcasting traffic from a rouge wireless device. (Lim, 2003)

Eavesdropping: Intercepting information that is transmitted over the WLAN can be

done from a distance up to kilometers outside of the building perimeter without any
physical network connection required. (Lim, 2003)

Mapping software: Mapping software is used for the production of reports, and to plot
access point coverage, power levels, etc. (Lafargue, 2003)

Masquerading: Gaining unauthorized access to the information and network

resources within the WLAN by impersonating the identity of an authorized WLAN user.
(Lim, 2003)
Packet Analyzers: Packet analyzers decode the traffic that has been recorded by the
RF monitor. (Lafargue, 2003)

Passive Scanning (Monitor Mode): Passive scanning tools dont transmit packets
themselves; instead, they listen to all the packets on a given channel and then analyze
those packets to see whats going on. (Cache, 2007)

RF Monitoring Software: RF monitoring software is the WiFi equivalent of network

packet sniffers for Ethernet. (Lafargue, 2003)

Traffic analysis: Monitoring WLAN transmissions for patterns of communication,

information flow between communicating parties, and deciphering of encrypted traffic
captured. (Lim, 2003)

Vulnerability Assessment: This step is not specific to wireless security surveys, and
very similar to its fixed network equivalent. (Lafargue, 2003)

Wireless Clients Attacks: Gaining access to the information shared or stored in the
wireless client when it was connected to an unprotected ad-hoc WLAN or an untrusted
third party WLAN. (Lim, 2003)

Wireless Network Security Audit: Generally conducted on an existing

802.11 network that has already been deployed either as a pilot or for production.
This audit will aim at identifying issues, and establish a baseline for the network.
(Lafargue, 2003)

Wireless Site Survey: Usually conducted before installing a 802.11 network, and will
aim at identifying at an early stage issues that may occur during deployment, and gather

Page14of16

AuditingWirelessNetworkSecurity Walderbach,Joshua

the relevant information needed to design the structure of the 802.11 network that will
be installed on site. (Lafargue, 2003)

Page15of16

AuditingWirelessNetworkSecurity Walderbach,Joshua

References

Cache, J, & Liu, V. (2007). Wireless Hacking Exposed: Wireless Security Secrets &
Solutions. Ney York, NY: The McGraw-Hill Companies.

Dollar, D. (2003). 03-CU-03: NCUA Letter to Credit Unions 03-CU-03: Wireless

Technology. Retrieved February 01, 2011, from http://www.ncua.gov/letters/2003/03-
CU-03.htm

Federal Financial Institutions Examination Council (FFIEC). (2006). Information

Security: IT Examination Handbook, page 38. Retrieved February 01, 2011, from
http://ithandbook.ffiec.gov
Fisher, J. (2011). Wireless LAN Security Guidelines for Small Business. Retrieved
February 01, 2011, from http://www.affinity-it.com:8080/wordpress/it-train/wireless-lan-
security-guidelines-for-small-business/

Frankel, S., Eydt, B., Owens, L., & Scarfone, K. (2007). Establishing Wireless Robust
Security
Networks: A Guide to IEEE 802.11i . Retrieved February 01, 2011, from
http://csrc.nist.gov/publications/nistpubs/800-97/SP800-97.pdf

Lafargue, E. (2003). Wireless Network Audits using Open Source tools. Retrieved
February 01, 2011, from
http://www.sans.org/reading_room/whitepapers/auditing/wireless-network-audits-open-
source-tools_1235

Lim, K.H. (2003). Security Guidelines for Wireless LAN Implementation. Retrieved
February 01, 2011, from
http://www.sans.org/reading_room/whitepapers/wireless/security-guidelines-wireless-
lan-implementation_1233
Radack, S. (2007). ITL Security Bulletin: Security Guidelines for Wireless LAN
Implementation. Retrieved February 01, 2011, from
http://csrc.nist.gov/publications/nistbul/b-April-07.pdf

Symantec Enterprise Security. (2002) Wireless LAN Security: Enabling and Protecting
the Enterprise. Retrieved February 01, 2011, from
http://www.symantec.com/avcenter/reference/symantec.wlan.security.pdf

Zamorski, M.J. (2002). FIL-8-2002: Wireless Networks And Customer Access.

Retrieved February 01, 2011, from
http://www.fdic.gov/news/news/financial/2002/fil0208.html

Page16of16