Back to Top


Wireless networking is becoming more prevalent due to its flexibility, however given that a Wi-Fi network is accessible outside of the building perimeter it is essential that it cannot be accessed by unauthorised third-parties.

The security of Wi-Fi (802.11) wireless LAN networks is often overlooked. Insecurities in the configuration of both wireless access points and clients are commonly discussed as well as weaknesses within the implementation of the Wi-Fi standard encryption methods.

There are a number of actions that can be taken to minimise the wireless network security risk. Part of a security solution is to discover and assess the security of wireless access points and clients.

Malicious intruders regularly probe for weak Wi-Fi network access points for misconfigurations, vulnerabilities, and incorrectly configured security controls, in order to compromise network defences.

A wireless assessment provides a full review of an organisation’s wireless network architecture. It can be used to identify both rogue wireless devices that might be attached to a corporate network. During the course of this assessment a consultant will perform a wireless discovery both internally and externally to determine the presence of networking devices, followed by a review of management controls and processes implemented to ensure effective protection and controls are in place. Examples of these should include suitable authentication, encryption and access control.

Following a wireless assessment, a report is produced detailing any areas of weakness within the architecture and configuration of a wireless network that could be used by an attacker to exploit the perimeter of an organisation.

The following sections further describe each phase of the wireless ITHC methodology.

Phase One – Premises Wireless Survey

Digital Assurance will survey the organisation using specialist wireless testing equipment to determine the presence of wireless networks within your building(s). We will sweep each area of the building and physically and logically locate the presence of wireless access points (APs). For each identified wireless access point we will record: -

· A general description of the physical location of the access point;

  • The make and model of the AP;
  • The hardware (MAC) address of the AP;
  • The channel number that the access point is using;
  • The type of wireless network (802.11a, 802.11b, 802.11g, 802.11n, other)
  • The Service Set Identifiers (SSIDs) that the AP is using;
  • Whether the AP is currently broadcasting the SSID(s);
  • The type of encryption (if any) that the AP supports and the encryption details (for example additional configuration for WPA/WPA2 ENTERPRISE);
  • The IP address of the AP (if possible);
  • Whether the AP is known or unknown (rogue);
  • The business purpose of the access point;
  • The general range of the access point and particularly whether it can be observed from outside of the building’s perimeter;
  • Any additional details (e.g. the use of MAC filtering, other network authentication requirements such as 802.1x etc)

The output from this part of the methodology will be a list of all of the identified wireless networks.

Phase Two – Encryption Review

For any wireless access points that are encrypted these will be assessed for vulnerabilities that could allow unauthorised access to the wireless network. This stage will assess the type of encryption used and whether any inherent weaknesses exist within it, for example the well-known but serious flaws in the Wired Equivalent Privacy (WEP) protocol.

Digital Assurance will make attempts to compromise the encryption and determine whether it is possible within feasible timescales and whether any other factors (e.g. physical distance from AP) have provided historic protection from attacks.

Additionally, for those services that permit authentication attempts (e.g. Pre-Shared Keys or domain authentication with WPA/2 ENTERPRISE), Digital Assurance will attempt to guess and/or brute-force (depending on the time available) the required credentials for the service.

The output from this stage of the methodology will be the current state of encryption in use for all of the access points and whether access is possible into the wireless networks that they support including full details of any compromise method.

Phase Three – Architecture and Device Review

This part of the test can be conducted irrespective of the previous two stages – for any access point that has not been compromised, actual credentials may be provided by the client.

Phase three of the testing involves testing the actual ‘view’ of the network provided by the wireless access point and determine whether any potential vulnerabilities or weaknesses exist which could pose a risk to the corporate infrastructure.

In particular, the following areas will be investigated: -

  • The wireless access point’s own interface and whether remote management functionality is adequately set-up and secure;
  • Whether any vulnerabilities exist within the AP’s firmware that could be used to compromise or cause a Denial of Service;
  • Whether the AP is being used to provide access to business critical services and the risk of availability issues to those services (e.g. via jamming attacks);
  • In a Government environment, whether the Access Point is configured suitably to support handling of Protectively Marked (up to RESTRICTED) data in line with CESG Manual Y;
  • Whether additional encryption products (e.g. a VPN) should be used over the wireless network;
  • The nature and extent of the services that can be reached via the AP. For example, is it possible to access the corporate network from a guest-based wireless LAN, could an attacker gain access to other areas of the network, or is it possible to access sensitive infrastructure or applications from the wireless LAN? Should network access control be deployed to restrict the window of opportunity?;
  • Implications associated with access and services provided via the wireless network (e.g. attacks on other networks appearing to originate from the client);
  • Network filtering, logging and intrusion detection associated with wireless access.

The output from this part of the testing will be a description of the overall network topology supported by the wireless LAN and whether there are any risks associated with it, in addition to specific vulnerabilities that might exist in the choice of hardware/software that has been deployed to offer the wireless network(s).

The return on investment from conducting a wireless security review will be the increased assurance that the organisation’s internal network resources and information assets are secured and cannot be compromised via the Wi-Fi network.