In Wi-Fi networks, as you likely know, the 802.11i suite of security standards has been fleshed out to provide strong authentication, confidentiality, and integrity assurance of production wireless LAN traffic. What might be less well understood is that 802.11 standards currently leave system management frames - those associated with over-the-air management tasks rather than the data itself - running in the clear.
This situation can create vulnerabilities, such as denial-of-service attacks and the potential for authentication credential theft, depending on what level of WLAN security you use.
Among the tasks for which management frames are generated:
- Client-to-access point (AP) association and disassociation requests.
- AP-generated de-authentication frames indicating that a client is no longer valid and resulting in it being kicked off the network.
- Probe responses.
A chink in the Wi-Fi armour
The “openness” of these transmissions leaves a pinhole for possible wireless intrusions. Malicious systems might pretend to be an AP, for example, and send disassociation requests to clients that deny service to the user. Once the client is disconnected, the malicious system might watch and see if it tries to reauthenticate. If weak Wi-Fi security, such as Wired Equivalent Privacy (WEP), is in use, and the client does attempt to reconnect, the malicious system might grab authentication credentials during this process.
If you’re using Wi-Fi Protected Access or WPA2/802.11i, you shouldn’t have to worry about credential theft. However, the denial of service would still likely occur, which inhibits users’ productivity (and annoys the heck out of them).
Today, if you’re a Cisco shop, you can avert this vulnerability by enabling a capability called Management Frame Protection (MFP) in your Cisco WLAN. MFP works with both the controller-based thin-AP architecture and the Cisco IOS Software-based, autonomous APs when they are used in conjunction with the Cisco Wireless LAN Solutions Engine, says Jake Woodhams, senior technical marketing engineer at Cisco.
Cisco WLAN systems insert a digital signature into the management frame (a field with an encrypted hash), such that only a legitimate AP can create it. A legitimate receiver will have the ability to validate the signature. Packets that arrive without legitimate signatures are ignored, Woodhams explains. Note: Cisco WLANs ship with this disabled, so if you want the added protection, check the “enable MFP” box during configuration.
Cisco MFP forms the initial basis of the emerging 802.11w standard, which will extend 802.11i to protect management frames in addition to data frames.
The 802.11w Protected Management Frames standard will still have some limitations, according to Joshua Wright of Aruba, but it is expected to be ratified in late 2007 or first quarter 2008.