Wireless Security Implications of 802.11nBy CWNP On 12/08/2009 - 6 Comments
I am sure that all of us have bumped into IEEE 802.11n at some point in time – it is the latest sensation in the 802.11 family of standards. It enhances the operative range of Wi-Fi devices and enables wire-speeds. It is no surprise that most (probably all) of the wireless LAN (WLAN) equipment vendors have announced support for 802.11n. Each vendor seems to be claiming that they have the “most conducive” architecture to avail the performance benefits of 802.11n. In this article, as usual, I would like to get your attention to another important aspect of an 802.11n deployment – security. While it doesn’t explicitly introduce new security features, 802.11n does introduce certain unique challenges to your enterprise wireless LAN (WLAN) security. Here’s how:
- Faster attacks: Attacks can be launched at .11n speeds. For example, using an 802.11n unauthorized connection (e.g., via a Rogue AP or an ad hoc connection to your authorized client), an attacker can download data at several hundred Mbps speed. However, it is not the speed which throws the main challenge to a WIPS – it is in fact the underlying 802.11n technology used which provides the actual challenge. 802.11n supports several enhancements to achieve high throughput – e.g., 40 Mhz transmissions, multi-stream communication, frame aggregation. Unfortunately, these enhancements are not understood by legacy devices and hence, legacy WIPS cannot detect such communication. The good news is that some WIPS vendors do support 802.11n WIPS. An 802.11n WIPS sensor can decode such an unauthorized 802.11n communication and mitigate the corresponding threats.
- Long range attacks: 802.11n provides range benefits to your enterprise users, but, hold on. Can’t the same be exploited by an attacker to increase attack range? Unfortunately, the answer turns out to be ‘yes’. 802.11n enables an attacker to launch Wi-Fi attacks (e.g., Rogue APs, client side threats, Denial of service (Dos) attacks) from distances that are farther than possible with legacy a/b/g wireless devices. An 802.11n WIPS deployed in your enterprise can detect such attacks as long as one of the end-points of the attack (i.e., the attacker or devices in your WLAN) is within its range. As far as wireless blocking or prevention is concerned, your mileage may vary based on the actual technique used by your WIPS. For example, if a WIPS sensor is relying on “deauthentication packets”, it may suffer some loss in efficiency if the prevention packets cannot “reach” the distant attacker device.
- 802.11n specific attacks: As with any new standard, 802.11n also brings its own set of security issues. A series of DoS attacks have been identified with earlier drafts of 802.11n (IEEE Doc Review of 802.11n A-MPDU DoS Issues). At a high level, they are related to the Block Acknowledgement/A-MPDU aspects of 802.11n (See here for a good summarization of A-MPDU operation). Even if the later drafts/standard has plugged some of these holes, the question still remains as to what other .11n specific attacks are possible. For example, can 802.11n implementations be vulnerable to Fuzzing attacks? As 802.11n standards based devices permeate the market, the focus on breaking 802.11n will only increase.
The bottom line: With improved range and throughput, 802.11n brings high-speed risks as well. Let me know your views on taming this beast in your enterprise. Thanks,Gopi
Tagged with: gopi