By Joel Snyder and Rodney Thayer
Network World, 10/04/04
Original Artcle on network Wolrd Web Site
To build a secure wireless network, it's not enough to watch the airwaves. You must lock down the access points, much like the rest of your network infrastructure.
Network World Lab Alliance partner Rodney Thayer of Canola Jones conducted a penetration test on the wireless infrastructure devices (access points and switches) we tested. Particularly, we were looking to assess how the vendors protect the point at which the wireless device hits the wired network. We left the devices as close as possible to the recommended default configuration. In cases where Thayer criticizes a default setting but the vendor offers an option to make conditions more secure (such as changing from HTTP to Secure-HTTP), he noted this in the report.
It's clear from this testing that most devices arrive out of the box with a poor set of security defaults. Many access points don't have the option to disable low-security services, such as Telnet and HTTP, and enable higher security services, such as Secure Shell and HTTPS.
Thayer says most vendors opt for simple, rather than secure, defaults. For example, while few people manage wireless access points from a command-line interface, Actiontec ships its access point with Telnet enabled using a default password anyone can guess (it's the same as the username), which cannot be changed or disabled from the user interface. That's a pretty huge hole, even in the relatively low-end market Actiontec targets.
Thayer took steadier aim at enterprise-class access points built on more sophisticated platforms, such as HP and SMC, which left open debug ports from the real-time Wind River VxWorks operating system both use in their shipping products. While there might not be any known VxWorks exploits this week, this doesn't mean there won't be any next week.
Even vendors that have a clear focus on enterprise-class security, such as Aruba with their full stateful firewall, have been sloppy with their management defaults. Trapeze, another security-focused vendor, has a more haphazard take: It forces you into HTTPS management, but still lets you leave the password blank. That just does not follow good security practice, even if it's a default setting.