T 2.121 Inadequate monitoring of WLANs

A WLAN is a potential target of attacks, whether in order to use the network without authorisation or to disrupt its availability (DoS attacks). This could lead to the compromising of the infrastructure connected to the WLAN. If the WLAN is not monitored adequately, then most attacks will not be detected at all or only detected when it is too late.

Incorrectly configured intrusion detection systems

If the communication patterns in the WLAN are not taken into account when planning an intrusion detection system, then this leads either to the inability of the intrusion detection system to detect attacks or to the triggering of an alarm by authorised communication.

An acute threat can also arise when logging IDS-relevant events:

• If too much information is logged or the information is stored for too long, then there is a danger that the databases of the intrusion detection system will overflow.
• If not enough or the wrong data is recorded when logging, then an attack may not be detected, and no reasonable post-mortem analysis can be performed.

Unauthorised use of the WLAN

If authentication mechanisms are implemented to access a WLAN which are not strong enough, then an attacker could access the Internet, for example, via a WLAN installation. This would reduce the available bandwidth and lengthen the response times for authorised WLAN users. Likewise, the Internet access obtained in this manner could be used for the following:

• to attack other systems in the Internet
• to distribute spam e-mails
• to download illegal content from the Internet
• to use peer-to-peer exchange services on the Internet.

No evaluation of the log files

When attackers attempt to log in to a WLAN, they must first overcome the authentication procedure. If they use dictionary or brute-force methods in an attack, then error messages will be produced by the authentication components, which they then record in their log files. If these log files are not evaluated regularly, then such attacks cannot be detected and corresponding countermeasures cannot be taken. If, in addition, successful logins are not checked for validity, then attackers could use the WLAN unnoticed using valid access information obtained through eavesdropping, possibly even when the employees are not there.

Example:

The employee Mr. Miller is on holiday for three weeks. During this time, his access information for the WLAN is successfully decrypted by an attacker. The attacker can now connect to the WLAN of the organisation successfully and without being noticed using this information and gain access to all areas which the employee is authorised to access. As a result of this, even sensitive data could be obtained without permission. If the log files of the authentication server had been analysed regularly, the administrators would have noticed that Mr. Miller is not even present and therefore cannot connect to the WLAN. Furthermore, blocking the WLAN account of Mr. Miller during his holiday could have prevented this attack.