The use of encryption and authentication mechanisms can certainly improve the security of a wireless LAN; however, smart hackers can still find vulnerabilities due to the way that networking protocols operate. A definite weakness is the common address resolution protocol (ARP) that all TCP/IP networks utilize. A hacker with the right tools can exploit ARP and take control of the wireless LAN.

ARP Basics

ARP is a crucial function used by a sending wireless or wired network interface card (NIC) to discover the physical address of a destination NIC. The physical address of a card is the same as the Medium Access Control (MAC) address, which is embedded in the card by the manufacturer and unique from any other NIC or network component. A part of the MAC address corresponds to the product vendor, which is how monitoring analyzers such as AirMagnet can display the vendor of a specific access point.

The MAC address is analogous to the street address of your home. Just as someone must know this address to send you a letter, a sending NIC must know the MAC address of the destination. The NIC only understands and responds to the physical MAC address.

The application software that needs to send the data will have the IP address of the destination, but the sending NIC must use ARP to discover the corresponding physical address. It gets the address by broadcasting an ARP request packet that announces the IP address of the destination NIC.

All stations will hear this request, and the station having the corresponding IP address will return an ARP response packet containing its MAC address and IP address. The sending station will then include this MAC address as the destination address in the frame being sent. The sending station also stores the corresponding IP address and MAC address mapping in a table for a period of time or until the station receives another ARP response from the station having that IP address.

ARP Security Issues

A problem with ARP is that it introduces a security risk resulting from ARP spoofing. For example, a hacker can fool a station by sending from a rogue network device a fictitious ARP response that includes the IP address of a legitimate network device, such as a wireless access point or router, and the MAC address of the rogue device. This causes all legitimate stations on the network to automatically update their ARP tables with the false mapping.
Of course these stations will then send future packets to the rogue device rather than the legitimate access point or router. This is a classic man-in-the-middle attack, which enables a hacker to manipulate user sessions. As a result, the hacker can obtain passwords, capture sensitive data, and even interface with corporate servers as if they were the legitimate user.

Secure ARP

In order to circumvent ARP spoofing, vendors such as OptimumPath implement secure ARP (SARP). This enhancement to ARP provides a special secure tunnel between each client and the wireless access point or router, which ignores any ARP responses not associated with the clients on the other end of the secure tunnels. Therefore, only legitimate ARP responses provide the basis for updating ARP tables. The stations implementing SARP are free from spoofing.
The use of SARP, however, requires the installation of special software on each client. Consequently, SARP is not practical for public hotspots. Enterprises, though, can generally install SARP on clients and be much freer from man-in-the-middle attacks.

 Jim Geier is an independent consultant and founder of Wireless-Nets, Ltd (www.wireless-nets.com), a consulting firm assisting municipalities, enterprises, hospitals, airports, and equipment providers with the development and deployment of wireless networks.