Author: Neftaly Malatjie

In cases where an organization hires a contractor to implement the WLAN, it is important for the organization to conduct acceptance/verification testing to ensure that all technical system requirements are met and that the overall system is functioning effectively. The tests verify that the overall system has adequate signal coverage, performance, capacity, and security, and that management systems are in place and operating properly. Therefore, acceptance/verification testing includes the testing explained, but it is a formalized process. In fact, it is a good idea to make acceptance/verification testing part of the contract with a system integrator and possibly stipulating successful completion of acceptance/verification testing as a requirement for part of the payment for the system.

The following are benefits of acceptance testing:

• Determines whether the system is fully operational prior to being given operational status, which avoids potential issues with usage and support
• For potential legal purposes, provides expert technical evidence of system elements that do not meet contracted requirements
• Provides a form of insurance to services providers that the system will support intended applications prior to them investing in the deployment of applications.

In addition to the testing covered earlier in this chapter, acceptance/verification testing should address the following elements:

• Installation practices: Tour the facility and ensure that access points are installed properly, antennas are aligned correctly, and cabling is neat and organized. For more information about installation best practices.
• System documentation: Review all documentation, such as system design specifications, as-installed signal coverage maps, cabling diagrams, and operational support plans. The various chapters throughout this book explain what this documentation should include.
• Operations and maintenance: Look over operations and maintenance procedures and make sure that all applicable staff has proper training. Test the reaction time of the support staff by triggering a failure event, such as disabling one or more access points. This should be done without any notice to the support staff. Observe how long it takes the support staff to fix the problem and verify that this falls within required times.

Of course some networks, such as public hotspots may not have any security mechanisms and encourage open connections, but the network may also include a private network as well. In this case, run tests to verify that client devices connecting to the public side of the network cannot access any sensitive resources. As part of analyzing the security vulnerabilities of a wireless network, run a TCP port scanner, such as SuperScan or Retina, to find open TCP or UDP ports that may offer security holes. SuperScan runs on a Windows laptop and scans all ports via the wireless network. Most of the time, SuperScan returns information (for example, IP address) about open port 80 (HTTP) interfaces on access points and printers, but it also finds other open ports made available by the installation of various applications.

When running penetration tests, use a port scanner with a test computer, which should be the same as the target client device, connected to the network at various locations, as follows:

• Scan test computer from within the same subnet: This test determines the extent to which a public wireless user can access user devices that are in the same subnet as another user. This scenario is common with public hotspots, where the hacker is connecting to the network from the same area as a targeted user (for example, from the same coffee shop). With the port scanner connected to the same subnet as the test computer, initiate a scan of all applicable TCP/UDP ports of the IP address of the test computer.
• Scan test computer from a different subnet: This test determines the extent to which a public wireless user can access user devices that are in a different subnet. This scenario is common with public hotspots, where the hacker is connecting to the network from a different area than a targeted user (for example, from different parts of an airport). With the port scanner connected to a different subnet as the test computer, initiate a scan of all applicable TCP/UDP ports of the IP address of the test computer.
• Scan test laptop located on a private subnet from a public subnet: This test determines the extent to which a public wireless user located on a public subnet can access devices that are on a private subnet. This scenario is applicable where a hacker is trying to compromise the security of users connecting to the protected side of the network. With the port scanner connected to the public subnet and the test computer connected to the private network, initiate a scan of all applicable TCP/UDP ports of the IP address of the test computer.

In addition to scanning a test computer, perform a scan of all devices that connect to the network, such as access points, controllers, switches, and application servers. In addition to wireless components, be certain to include devices that are not part of the wireless network, such as printers. If scanning all ports, you will probably need to limit the number of devices (by IP address) or the scanned ports to a limited set. Otherwise, the scans may run for days. Be sure to hit the more vulnerable ports, such as port 80. Before running the tests, talk to your local network security manager to decide which ports are most important to scan

A good place to start with penetration testing is to attempt to connect unauthorized devices to the private side of the network, which should be configured with encryption and authentication mechanisms that only allows authorized client devices to successfully connect. Assume that you know the SSID of the private network because that can be easily found by monitoring 802.11 association requests from client device radios. Configure an unauthorized client device with this SSID and verify that you cannot connect to the network. Of course if it is possible to connect to the private side of the network without applicable encryption passwords, there are major problems with the security of the network. In this case, review the security settings on the access point.

The ability of authorized client devices being able to connect to the network is only part of security testing. You also need to verify that unauthorized client devices cannot connect to the private side of the network or reach the protected network from the public side of the network.

Start by reviewing the security configuration settings in client radios, controllers, and access points. This includes confirming that encryption and authentication functions are configured correctly in relation to design specifications. For example, if design specifications indicate use of Advanced Encryption Standard (AES) encryption, ensure that the access points are configured to require AES encryption. Do not assume that the WLAN has the proper configuration, be certain to look at the configuration of the actual equipment. Once you are sure that the network’s security settings are correct, determine whether authorized client devices can successfully connect to the network using the applicable security mechanisms, such as AES encryption and 802.1X authentication. In addition to ensuring that it is possible to connect, verify that the actual security mechanism is in use. You can do so by running a wireless packet sniffer, which will identify the applicable security mechanism that correspond to the client device being tested.