There is a general misconception that only large enterprises are at risk from cracking, wireless cracking included. This is a myth, but it is very prevalent. Large corporations are where the money and sensitive data are. However, every experienced attacker first looks after his or her own safety in regards to future legal responsibility, so he or she would start by looking for an easy target for anonymous access. At the same time, an inexperienced cracker goes for anything "crackable" without considering whose network it is and what its purpose is.

Large businesses usually have (or should have) trained security personnel, and a well-written and followed corporate security policy, as well as specific security equipment. This obviously increases the chances of discovering who the attackers are. In smaller companies and home networks many wireless attacks happen undetected and unmentioned until it is too late. Reinforcing the myth, however, the media pays attention to break-ins into major companies, thus creating an impression that smaller networks are of little interest for the underground.

Large corporations might have massive wireless networks with high output power to bridge distant buildings and provide wireless point-to-point links between company offices in the same city. Such links are easy to discover and tap into at a significant distance from the transceiver. Corporate point-to-multipoint networks might also have an impressive coverage zone with a huge number of roaming hosts. Thus, it can be difficult to discover an illicitly connected host in the "large crowd" or even an additional access point among multiple access points on the network. Besides, massive enterprises are at a higher risk from users installing unsolicited wireless equipment (both 802.11 and 802.15) and are more susceptible to social engineering attacks. These factors counterbalance the larger amount of resources that sizable companies can put into their wireless network security.

An issue we have discovered when auditing the security of various 802.11 networks is the use of legacy non-IP protocols over wireless. Although corporate networks generally tend to stay current, many organizational networks (government organizations included) do not appear to upgrade often and still run DECnet and Banyan Vines (not to mention IPX and AppleTalk) over 802.11 links. These protocols came into existence when networks were smaller, friendlier, and less exposed to the general public. At that time, security issues weren't very high on the network applications and protocols developers' lists, and known cases of cracking were sporadic. As the significance of TCP/IP grew together with the expansion of the Internet, security protocols running over IP (IPSec, Secure Sockets Layer (SSL), etc.) were developed, driven by the security demands of a large public network and the increasing importance of e-commerce around the world. At the same time, little attention was paid to non-TCP/IP protocol security, and there is nothing close to IPSec for DECnet, Banyan Vines, AppleTalk, and IPX (at least to our knowledge). Although the attacker's sniffer might not be able to decode these protocols well (although tcpdump and Ethereal understand DECnet and Banyan Vines fine), information transmitted in plaintext is still readable by anyone. Thus, while running legacy protocols over 802.11, the main (and, perhaps the only) line of defense is 802.11 (second layer) security features. Until the final 802.11i draft is available, universally accepted, and used, such networks cannot be considered secure. Of course, there are proprietary solutions to WEP insecurities as well as the WPA TKIP/802.1x . However, compatibility and interoperability issues can be a serious obstacle to deploying these solutions on large wireless networks that run legacy protocols (and probably using legacy wireless hardware). It is likely that such networks running DECnet or Banyan Vines will end up relying on static 128-bit (or 64-bit) WEP keys for security (the alternative is to drop that VAX and begin a new life). At the same time, the protocols in question are very chatty and constantly generate wireless traffic, even when no user activity on the network takes place. Chatty network protocols (including IPX and AppleTalk) are WEP crackers' best friends.

Turning from large businesses and organizations to smaller enterprises and even home user networks, a common error is to consider them to be off the crackers "hit list" because they are "not interesting" and have "low value" for an attacker. At many business meetings we were told that "your services are not needed for our small company because the company does not handle any sensitive data or perform financial transactions online." Later on the very same people were inquiring about incident response and recovery services. The reasons wireless crackers would attack small business and home networks were already listed and are quite clear to anyone in the IT security field: anonymous access, low probability of getting caught, free bandwidth, and the ease of breaking in. Specific issues pertaining to wireless security in the small enterprise 802.11 LANs include the following:

• The prevalence of a sole overloaded system administrator unfamiliar with wireless networking or the frequent absence of any qualified system administrator.

• The use of low-end, cheap wireless equipment with limited security features (unless you deal with Open Source, you get what you pay for).

• The absence of a centralized authentication server.

• The absence of wireless IDS and centralized logging system.

• The absence of a wireless security policy.

• Insufficient funds to hire a decent wireless security auditor or consultant.

Although many would not expect the widespread use of wireless networks in the small business sector, this assumption is wrong. Frequently, WLAN deployment is a crucial money saver for a limited-size enterprise. Although wireless client cards and access points still cost more than Ethernet network interface cards and switches, the costs of cabling are often prohibitive for a small business. Whereas large enterprises usually have their buildings designed and built with Cat 5 or even fiber cables installed, smaller businesses often use older buildings not suitable for extensive network cabling. We have found that in central London many small and medium companies must resort to 802.11 because their offices are based in designated conservation buildings. Thus, the need to use wireless networks combined with a lack of resources for hardening these networks creates a great opportunity for wireless crackers that attack small enterprise WLANs.

It is interesting to mention that when it comes to the use of basic wireless security countermeasures such as WEP, we saw that home networks tend to use WEP more frequently than many WLANs at small businesses and even larger enterprises. The rationale is probably the involved users' interest and attention to their own network and data protection as compared to the "we do not have a problem" approach to WLANs at the workplace exhibited by many corporate business users and, unfortunately, some system administrators and network managers. On the other hand, the majority of the "default SSID + no WEP combination" WLANs are also home user networks.