Map Out Your Wireless-Security Audits

Are you tired of trying to get management to take wireless security seriously? Are you ready to pull out your hair if just one more department manager decides to plug in a store-bought wireless hub--without telling you--just for "temporary purposes" such as giving visitors Internet access? Are you going blind from trying to decipher the unfriendly results of your wireless-network audits? Most wireless-auditing tools are long on data and short on visual aids. True, some higher- end programs have limited graphical capabilities, but none that I'm aware of provide color maps of your wireless network and auditing results, at least not right out of the box. However, when you're asking management for stronger security policies or better wireless equipment, a map like that puts punch in your presentation. For a minimal investment, you can assemble a collection of free and commercial tools that will let you create Global Positioning System (GPS)­calibrated maps of all the wireless networks in your area. These maps provide information about each network's owner, signal strength, encryption type, equipment, MAC addresses, and a lot of other useful data. You can use the maps as a visual aid when trying to assess and strengthen your wireless network's security.

What You'll Need
You'll need both hardware and software for this project. If you're already performing wireless audits, you might already have most of this equipment. Most of the software is free, but you might need to make a small investment for the mapping software and possibly for a GPS receiver. Here's what you need to get going:

A laptop with a wireless card. Most modern notebook computers (e.g., all Intel Centrino laptops) already have a wireless radio built in. However, you might want to upgrade to a PC card that lets you attach an external antenna; this capability will make your surveys more accurate and complete. I use a Proxim ORiNOCO Classic Gold PC Card and an external, car-mountable antenna for greater mobility and reception during my audits. (You can buy hardware bundles that include a card and antenna at the NetStumbler site I mention below.)

Hand-held GPS receiver. This piece of hardware will interface with your PC to find the locations of any wireless Access Points (APs) that you identify during your surveys. You don't need a fancy receiver; a basic model that displays longitude and latitude should suffice. However, make sure that whichever receiver you choose has a PC interface (usually a serial cable), that its output is compatible with the National Marine Electronics Association (NMEA) standard so that the mapping software can read the data, and that the unit is Wide Area Augementation System (WAAS)­compatible. You can find this type of unit for less than $100 from manufacturers such as Garmin and Thales Navigation.

NetStumbler 0.4.0 or later. Marius Milner's NetStumbler is by far the most popular Windows-based wireless-auditing tool. Not only is this versatile program available to the public at no charge, but Milner's Web site (http://www.netstumbler .com) also features some great wireless-security discussion forums.

StumbVerter 1.5 or later. Sonar Security's StumbVerter (http://www.sonar-security.com) converts NetStumbler files to Microsoft MapPoint­compatible files, then creates audit maps based on those files. The program is free, although you can make a donation to go toward further development. Note that StumbVerter 1.5 works only with MapPoint 2004 or later; if you have MapPoint 2002, you'll need to use StumbVerter Beta 5. You can download both versions from http://www .c2security.org/tools/stumbverter.

MapPoint 2004 or later. MapPoint provides maps for StumbVerter and lets you add enhancements to your audit maps. This is the only program in our collection that you'll need to pay for; the retail price is around $200. (The program's usefulness goes beyond wireless audits.)

Getting Set Up
Installing the software packages on your laptop is a breeze: Just click each program's Setup file and the programs will install themselves, prompting you for any necessary information. However, you do need to install the programs in a particular order.

First install NetStumbler. Installation takes a few minutes. After the installation is finished, plug in your GPS receiver and fire up NetStumbler, preferably near a known wireless AP. The program's main screen will come up; any active wireless APs within range of your antenna will appear in the right-hand pane, as Figure 1 shows.

The main screen provides various information about the found APs. You might be shocked to see how many APs show up; Figure 1 shows how many I found during a survey of the area around a shopping mall. Make sure that you're receiving the GPS data for the listed APs. This data will show up in the longitude and latitude columns in the right-hand pane.

If you aren't receiving the GPS data, look for the GPS status icon in the program's status bar. This icon will tell you whether your GPS receiver is sending data to the program. If not, you could have one of several problems. One problem could be that your serial port settings aren't configured correctly. To access these settings, select View, Options from NetStumbler's menu bar. Go to the GPS tab and make sure that the COM port is set to the correct port for your serial interface. Usually, this will be COM1--unless you're using an internal modem, in which case it might be COM2.

Also make sure that the communications settings are correct for your unit. For example, the proper settings for my Thales Navigation Magellan unit are 4800 baud, 8 bits per second, no parity, one stop bit, and flow control set to off. Each manufacturer's equipment will have slightly different settings. Another problem could be that the GPS unit isn't set to transmit in the correct format. Most units let you set the protocol that the unit will use to transmit data to the PC. In my Magellan, this option is under the main menu's Setup option. Also, make sure that NMEA is turned on.

Once NetStumbler is running satisfactorily, install MapPoint. After installation, make sure you can bring the program up without error. Reboot your system before continuing.

After your system is rebooted, load StumbVerter. Make sure you install this program last: It won't install properly unless NetStumbler and MapPoint are already on the system.

Creating Your Maps
Now you're ready to generate some graphical wireless-audit maps. Go out with your laptop and GPS rig and collect some data. (For more information about this process, related tools, and wireless-network security in general, see "The Auditor Security Collection," January 2005, InstantDoc ID 44648, and "A Secure Wireless Network Is Possible," May 2004, InstantDoc ID 42273.) After you've completed your survey, save the information from your auditing session as a NetStumbler .nsi file. Open NetStumbler, pull up that file, and select File, Export. During this process, choose the text option instead of the summary option.

Open StumbVerter and select Map, Create New North America. (This assumes that you're using the North American version of MapPoint; a European version is also available. StumbVerter uses MapPoint's maps, so the available maps depend completely on the version of MapPoint that you're using.) Next, select Import, NetStumbler Summary. Select your exported NetStumbler file from the Browse window. Note that you can also import files that have been saved in the Kismet (a Linux-based wireless-audit program) summary format.

StumbVerter now draws a map of the area you surveyed, as Figure 2 shows. The StumbVerter window is divided into three sections. The right-hand section displays the map, with wireless APs represented by green or red tower icons. A green tower means that the AP's signal is unencrypted; a red tower signifies that the signal is encrypted. The top-left section lists all the APs along with their 802.11b Service Set Identifiers (SSIDs) and an icon that identifies them as being encrypted or unencrypted. (You'll be amazed at how many APs are unencrypted; in my experience, more than half the APs out there are transmitting in the clear.) The bottom-left section lists any APs that didn't have related GPS data and therefore couldn't be depicted on the map.

Click any AP in the list to localize the map pointer to that AP. Double-click an AP to bring up an information balloon that contains most of the information that NetStumbler gathered, including the following:

the AP's SSID, often the manufacturer's default

the AP's MAC address (making it easier to identify unique APs when a lot of them have the same default SSID)

the AP's signal strength (the tower icons also display signal strength: the stronger the signal, the more waves shown emanating from the tower)

the AP's encryption state (the tower icons also show encryption status, as I mentioned earlier)

You can use StumbVerter's View menu to affect how much detail the map shows. You can choose to label the AP tower icons with each AP's name or information balloon. You can also display other points of interest that MapPoint has built in (e.g., banks, restaurants). In areas with many APs, these options can make the map cluttered and difficult to read, and you might want to display points of interest only when they serve as useful landmarks.

You can edit your map file natively in StumbVerter or you can use the Map, Save menu option to save the map as a MapPoint file, then open it in MapPoint to take advantage of that program's drawing and labeling tools. You can also export maps in graphical formats (such as a .bmp file) for use in Microsoft PowerPoint or Word. You can save the map as an HTML file for inclusion on a Web site. Or you can use the menu bar's Save CSV option to save the data as a comma-separated value (CSV) file to import into spreadsheets or databases. Keep in mind that this option captures only the tabular data that NetStumbler gathered, not the graphical map.

StumbVerter has one other nifty feature: an Antenna Comparison Tool, which you can access by choosing the menu bar's ACT option. You can use this tool to compare external antennae--as many as three at a time--for your audit workstation. To do so, perform an audit with each antenna. Save the audits as .nsi files, then open each one in NetStumbler and export the files using NetStumbler's summary option. Open StumbVerter's ACT tool. Enter each antenna's name in one of the Log boxes. Double-click in each Log file to load box to open a browse window, then select an audit file for each antenna. After you've loaded the files you want to compare, click Go. The tool then shows the signal strength and signal-to-noise ratios that each antenna recorded for each AP and gives each antenna a relative score based on those readings. The tool highlights the best antenna (based on its overall score) in green.

Seeing Is Believing
Armed with your maps, you can figure out your wireless network's footprint outside your building. You can pinpoint where other wireless LANs overlap yours and take steps to minimize interference. (I've seen situations in which a company's PCs were logging on to another company's wireless network without anyone realizing it.) And you can root out rogue APs on your network and give those errant department managers a stern talking to. When it comes to wireless security, a picture truly can be worth a thousand words.