Skip to content

Page208

Managed, Master, Ad-Hoc, and Monitor Modes

802.11 wireless NICs can operate in four modes: managed, master, ad hoc, and monitor mode.

802.11 wireless clients connect to an access point in managed mode (also called client mode). Once connected, clients communicate with the access point only; they cannot directly communicate with other clients.

Master mode (also called infrastructure mode) is the mode used by wireless access points. A wireless card in master mode can only communicate with connected clients in managed mode.

Ad hoc mode is a peer-to-peer mode with no central access point. A computer connected to the Internet via a wired NIC may advertise an ad hoc WLAN to allow Internet sharing.

Finally, monitor mode is a read-only mode used for sniffing WLANs.

SSID and MAC Address Filtering

802.11 WLANs use a Service Set Identifier (SSID), which acts as a network name. Wireless clients must know the SSID before joining that WLAN, so the SSID is a configuration parameter. SSIDs are normally broadcasted; some WLANs are configured to disable SSID broadcasts, as a security feature. Relying on the secrecy of the SSID is a poor security strategy: a wireless sniffer in monitor mode can detect the SSID used by clients as they join WLANs; this is true even if SSID broadcasts are disabled.

Another common 802.11 wireless security precaution is restricting client access by filtering the wireless MAC address, allowing only trusted clients. This provides limited security. MAC addresses are exposed in plaintext on 802.11 WLANs; trusted MACs can be sniffed, and an attacker may reconfigure a non-trusted device with a trusted MAC address in software. Then the attacker can wait for the trusted device to leave the network (or launch a DoS against the trusted device) and join the network with a trusted MAC address.

WEP

WEP is the Wired Equivalent Privacy protocol, an early attempt (first ratified in 1999) to provide 802.11 wireless security. WEP has proven to be critically weak: new attacks can break any WEP key in minutes. Due to these attacks, WEP effectively provides little integrity or confidentiality protection. WEP is considered broken, and its use is strongly discouraged. The encryption algorithms specified in 802.11i and/or other encryption methods such as VPN should be used in place of WEP.

WEP was designed at a time when exportation of encryption was more regulated than it is today and was designed specifically to avoid conflicts with existing munitions laws at that time. In other words, WEP was designed to be “not too strong,” cryptographically, and it turned out to be even weaker than anticipated. WEP has 40- and 104-bit key lengths and uses the RC4 cipher. WEP frames have no timestamp and no replay protection: attackers can inject traffic by replaying previously sniffed WEP frames.