Best Practices for Wireless Network Security

Enhancing Business Mobility with Convertible PCs Five Ugly Truths about WAFS and Caching Sign up to receive Security Resource Alerts

November 24, 2003 (Computerworld) -- Wireless technology is dramatically changing the world of computing, creating new business opportunities but also increasing security risks.

Wireless LANs, which use radio frequencies to broadcast in the unlicensed 2.4-GHz frequency band, can be as simple as two computers equipped with wireless network interface cards or as complex as hundreds of computers outfitted with cards communicating through access points. They're relatively inexpensive and easy to install.

But they also introduce a number of critical security risks and challenges, and it's important to implement strong security measures to mitigate these risks. What follows are potential risks and associated best practices to help you secure your network and understand WLAN characteristics:

Risk No. 1: Insufficient policies, training and awareness

Though establishing policies to govern wireless networks would appear to be a basic requirement, institutions often fail to take this step or to inform employees of the risks associated with not using a wireless network in accordance with the policies. Once policies are implemented, it's critical to communicate them to increase users' awareness and understanding.

How to mitigate:
Develop institutionwide policies with detailed procedures regarding wireless devices and usage. Maintain these policies and procedures to keep current with technology and trends. While each institution will have specific requirements, at a minimum require the registration of all WLANs as part of overall security strategy. And because a policy isn't effective if users aren't in compliance, monitor the network to ensure that users are following the policy as intended.

Conduct regular security awareness and training sessions for both systems administrators and users. It's important to keep systems administrators informed of technical advances and protocols, but it's equally important for users to understand the reasons for the protocols. An educated user will more likely be a compliant one, without as much protest. These education sessions should stress the importance of vigilance.

Risk No. 2: Access constraints

Wireless access points repeatedly send out signals to announce themselves so that users can find them to initiate connectivity. This signal transmission occurs when 802.11 beacon frames containing the access points' Service Set Identifier are sent unencrypted. (SSIDs are names or descriptions used to differentiate networks from one another.) This could make it easy for unauthorized users to learn the network name and attempt an attack or intrusion.

How to mitigate:

1. Enable available security features. Embedded security features are disabled by default.


2. Change the default settings. Default SSIDs are set by the manufacturer. For example, Cisco's default SSID is "tsunami," and Linksys' is "linksys." Not changing these makes it easier for an unauthorized user to gain access. Define a complex SSID naming convention. Don't change the SSID to reflect identifiable information, since this too could make it easy for an unauthorized user to gain access. Instead, use long, nonmeaningful strings of characters, including letters, numbers and symbols.



3. Disable Dynamic Host Configuration Protocol and use static IP addresses instead. Using DHCP automatically provides an IP address to anyone, authorized or not, attempting to gain access to your wireless network, again making it just that much easier for unauthorized penetration.



4. Move or encrypt the SSID and the Wired Equivalent Privacy (WEP) key that are typically stored in the Windows registry file. Moving these privileged files makes it more difficult for a hacker to acquire privileged information. This step could either prevent an unauthorized intrusion or delay the intrusion until detection occurs.



5. Use a closed network. With a closed network, users type the SSID into the client application instead of selecting the SSID from a list. This feature makes it slightly more difficult for the user to gain access, but education on this risk-mitigation strategy can reduce potential resistance.
   
   To gain maximum advantage of a closed network, change the SSID regularly so that terminated employees can't gain access to the network. Develop and implement an SSID management process to change the SSID regularly and to inform authorized employees of the new SSID.


6. Track employees who have WLANs at home or at a remote site. Require that wireless networks are placed behind the main routed interface so the institution can shut them off if necessary. If WLANs are being used at home, require specific security configurations, including encryption and virtual private network (VPN) tunneling.

Risk No. 3: Rogue access points

Rogue access points are those installed by users without coordinating with IT. Because access points are inexpensive and easy to install, rogue installations are becoming more common.

Rogue access points are often poorly configured and might permit traffic that can be hard for intrusion-detection software to pinpoint.
How to mitigate:

1. Conduct extensive site surveys regularly to determine the location of all access points. Ensure that access points aren't near interfering appliances such as microwave ovens, electrical conduits, elevators or furniture.


2. Plan for access-point coverage to radiate out toward windows, but not beyond.


3. Provide directional antennas for wireless devices to better contain and control the radio frequency array and thus prevent unauthorized access.


4. Purchase access points that have "flashable" firmware only, to allow users to install security patches and upgrades in future releases.


5. Disable Simple Network Management Protocol community passwords on all access points. SNMP is used as an access-point management mechanism, and while it offers operational efficiencies, it increases the risk of security breaches.


6. Set Authentication method to OPEN rather than to shared encryption key. This seems contrary because using encryption for authentication is typically preferred. However, when using the shared encryption key feature, the challenge text is sent in clear text. This could help an unauthorized party calculate the shared secret key using the encrypted version of the same text. So ironically, using the default OPEN authentication actually reduces the possibility of an unauthorized party discovering your WEP encryption key.


7. Use Remote Authentication Dial-In User Service, which can be built into an access point or provided via a separate server. RADIUS is an additional authentication step. Interface this authentication server to a user database to ensure that the requesting user is authorized.


8. Force 30-minute reauthentication for all users.

Risk No. 4: Traffic analysis and eavesdropping

Without actually gaining access to the network, unauthorized parties can passively capture the confidential data traversing the network via airwaves and can easily read it because it's sent in clear text. So an attacker could alter a legitimate message by deleting, adding to, changing or reordering the message. Or the attacker could monitor transmissions and retransmit messages as a legitimate user.

By default, WLANs send unencrypted or poorly encrypted messages using WEP over the airwaves that can be easily intercepted and/or altered. Currently, wireless networks are beset by weak 802.11x Access Control Mechanisms, resulting in weak message authentication.
How to mitigate:

1. Encrypt all traffic over the WLAN. There are a variety of methods to select from:
   
   • Use application encryption such as Pretty Good Privacy, Secure Shell (SSH) or Secure Sockets Layer.
   
   
   • Enable WEP, an encryption method that's intended to give wireless users security equivalent to being on a wired network but that has been proved to be insecure (its RC4 stream cipher, which is used to encrypt the data, has been cracked). Both 40- and 128-bit keys have been cracked -- the 128-bit encryption only prolongs the cracking process. Despite its weaknesses, the WEP security that's built into wireless LANs can delay an unauthorized user's intrusion or possibly prevent a novice hacker's attacks entirely. (Note: The WEP factory default is OFF.)
   
   
   • Require the use of a VPN running at least FIPS-141 triple Data Encryption Standard and encrypting all traffic, not only the ID and password. Segment all wireless network traffic behind a firewall and configure each client with a VPN client to tunnel the data to a VPN concentrator on the wired network. Configure so users communicate only with the VPN concentration point. Evaluate the following features when purchasing VPN technologies: interoperability with existing infrastructure, support for a wireless and dial-up networking, packet-filtering or stateful-inspection firewall, automatic security updates and a centralized management console.
   
   
2. Implement two-factor authentication scheme using access tokens for users accessing critical infrastructure.


3. Utilize 802.11x for key management and authentication standards.


4. Use Extensible Authentication Protocols.


5. Activate the Broadcast Key Rotation functionality. Set a specific amount of time (usually 10 minutes or less) on the access point; each time the counter runs out, the access point broadcasts a new WEP key, encrypting it with the old, thus reducing the amount of time available to crack the key.


6. Restrict LAN access rights by role.

Risk No. 5: Insufficient network performance

Wireless LANs have limited transmission capacity. Networks based on 802.11b have a bit rate of 11Mbit/sec. while networks based on 802.11a have a bit rate of 54Mbit/sec. Media Access Control overhead alone consumes roughly half of the normal bit rate.

Capacity is shared between all the users associated with an access point, and since load balancing doesn't exist on access points, network performance can be improved dramatically if the appropriate number of access points are available to users.

Frequently, unauthorized users' intentions are to steal bandwidth rather than view and alter the data passing along the wireless network. Therefore, these unauthorized users can significantly reduce network performance for authorized users. Finally, DoS attack can disable or disrupt your operations. A DoS doesn't have to be intentional. For example, users can transfer large files that can cause a network outage.

Another unintentional DoS can occur when legitimate traffic uses the same radio channel. Conversely, a DoS can also be an intentional overflow, such as a ping flood to intentionally cause network disruptions.
How to mitigate:

1. Continually monitor network performance and investigate any anomalies immediately.


2. Segment the access point's coverage areas to reduce the number of people using each access point.


3. Apply a traffic-shaping solution to allow administrators to proactively manage traffic rather than react to irregularities.

Risk No. 6: Hacker attacks

Because wireless networks are insecure, they're prone to attacks. Such attacks can include spreading viruses, loss of confidentiality and data integrity, data extraction without detection, privacy violations and identity theft.
How to mitigate:

1. Deploy a network-based intrusion-detection system on the wireless network; review logs weekly.


2. Use and maintain antivirus software. Push out antivirus software upgrades to clients from servers.


3. Create frequent backups of data and perform periodic restorations.

Risk No. 7: MAC spoofing/session hijacking

Wireless 802.11 networks don't authenticate frames, which may result in frames being altered, authorized sessions being hijacked or authentication credentials being stolen by an imposter. Therefore, the data contained within their frames can't be assured to be authentic, since there's no protection against forgery of frame source addresses.

Because attackers can observe Media Access Control addresses of stations in use on the network, they can adopt those addresses for malicious transmission. Finally, station addresses, not the users themselves, are identified. That's not a strong authentication technique, and it can be compromised by an unauthorized party.

How to mitigate:

1. Limit access to specific MAC addresses that are filtered via a firewall. This technique isn't completely secure, because MAC addresses can be duped, but it does improve the overall security strategy. Another difficulty with this technique is the maintenance effort required. A MAC address is tied to a hardware device, so every time an authorized device is added to or removed from the network, the MAC address has to be registered into the database.


2. Monitor logs weekly and scan critical host logs daily.


3. Use proven data link layer cryptography such as SSH, Transport-Level Security or IPsec.

Risk No. 8: Physical security deficiencies

Commonly used wireless and handheld devices such as PDAs, laptops and access points are easy to lose or to steal because of their small size and portability. In the event of a theft, the unauthorized party can compromise such devices to obtain proprietary information about your wireless network configuration.

Susan K. Kennedy is the information systems audit manager at the University of Pennsylvania. She has more than 13 years' experience in the IT assessment of security, computer facilities and networks; pre- and postsystem implementations; and business processes and application reviews. She holds an MBA degree and Certified Information Systems Auditor and Certified Internet Webmaster certifications..

How to mitigate:

1. Implement strong physical security controls, including barriers and guards to prevent the theft of equipment and unauthorized access.


2. Label and maintain inventories of all fielded wireless and handheld devices.


3. Use device-independent authentication so that lost or stolen devices can't gain access to the WLAN.

Conclusion


After examining just a few risks associated with WLANs, their high-risk nature becomes quite evident.

To moderate risks, management and systems administrators must perform ongoing risk assessments to ensure not just that they understand the risks that they face, but that they also take appropriate steps to mitigate the risks.

Overall, the greatest weakness with wireless security isn't the technical shortcomings but out-of-the-box insecure installations. This risk can be overcome with attention to detail. But remember that the human factor is the weakest link and that this risk needs to be considered when appointing a network administrator and funding suitable review procedures.

In optimistic summary, risk provides opportunity that just needs to be managed. It's an inspiration for progress and should be a welcome challenge, as long as it's given the proper consideration.

Printed with permission. Copyright 2004, Information Systems Control Journal, Information Systems Audit and Control Association® (ISACA®), Rolling Meadows, IL, USA.

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

"Can you hear IT Blogwatch now? In which Verizon says it loves Linux and signs up as a member of..." Read more... Read more Mobile & Wireless posts or See all Blogs

HP confirms XP SP3 endless reboot snafu, promises patch Yahoo tells Icahn that its own board knows best Tools circulate that crack Debian, Ubuntu keys More top stories...

Former Microsoft manager offers free fix for XP SP3 'endless reboot' Can Icahn take on the Yahoo board and win? Elgan: Hyperconnectivity: Friend or foe?

Shuttle Columbia's hard drive data recovered from crash site Specialists have retrieved about 99% of the data on a disk drive on board the crashed space shuttle Columbia. Don't miss the photographs of the recovered drive. The top 15 vaporware products of all time These big ideas were supposed to revolutionize technology, but they never actually appeared. In a few cases, you'll be glad they didn't. Opinion: Malware vs. anti-malware, 20 years into the fray Nearly 20 years after the first Internet worm, Steven J. Vaughan-Nichols takes stock of the malware/anti-malware landscape and spotlights how the two sides are approaching the battle. Leopard at six months: Does it live up to the early hype? Though some thought it was released too soon, Mac OS X 10.5 has matured into a solid operating system, says reviewer Michael DeAgonia. Windows Vista A to Z Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS. More Continuing Coverage After 9/11: Homeland SecurityAsk a Premier 100 IT LeaderBlackBerry Legal BattleData Security BreachesElectronic VotingFirefoxH-1B VisasHP's Boardroom ScandalHandheld DevicesHurricane Katrina AftermathMicrosoft Legal IssuesMicrosoft's VistaOpen SourceRFID TechnologySCO's Linux FightSarbanes-Oxley ActSpamVoice Over IPWi-FiWindows Meta File VulnerabilityWindows XP Service Pack 2 IT Careers 2010 Four years from now, the IT field will be a vastly different place. Will you be ready? More Special Reports Premier 100 IT Leaders 2007 Best in Class2006 Computerworld Horizon Awards2006 Premier 100 IT Leaders2006 Salary Survey2007 Best Places to Work in IT2007 IT Forecast2007 Premier 100 IT Leaders40 Years of ComputerworldASPs, Take TwoBest Places to Work in IT 2003Best Places to Work in IT 2004Best Places to Work in IT 2005Best Places to Work in IT 2006Business Intelligence Home RunsBusiness Intelligence: Smarter BIBusiness Intelligence: The Future of BICRM Goes VerticalCRM: Sober CRMCareer Planning Guide 2005Careers: IT Profession 2010Computerworld Horizon Awards 2005Data Management: Mining for GemsData Management: Taming Data ChaosDevelopment: Hard-Workin' Web SitesDevelopment: New Tools New ChoicesDevelopment: The New World of Application DevelopmentDevelopment: The Web Services TsunamiDevelopment: Web Services HurdlesDisaster Recovery: Preparing for the WorstE-commerce Grows UpE-mail/Groupware: Big DecisionsFaces of Mobile ITForecast 2006Global MobileHardware: Multiple Cores, Multiple ChallengesHardware: On-Demand Un-HypedHardware: The Shape of Things to ComeHorizon Awards: 10 Cool Cutting Edge TechnologiesIT Management: Guide to Managing VendorsIT Management: Navigating Global ITIT Management: Recovery AheadIT Management: The Future of ITIT Management: The Resourceful Project ManagerInnovative Technology Awards 2004Management: Reinventing ITMicrosoft in TransitionMobile/Wireless Leaders and LaggardsMobile/Wireless: The Untethered WorkerMobile/Wireless: Tiny Gadgets, Huge CostsNetwork Management: Taking ControlNetworking: Turbulence Ahead!Networking: VoIP Goes MainstreamOperating Systems: In the Slow LaneOperating Systems: Linux Goes GlobalOperating Systems: Should You Nix Unix?Outsourcing: Offshore Buyer's GuideOutsourcing: Outsourcing DangersPremier 100 IT Leaders 2004 Best in ClassPremier 100 IT Leaders 2005 Best in ClassROI: Do the Math!Salary Survey 2003Salary Survey 2004Salary Survey 2005Security Action PlanSecurity: Compliance HeadachesSecurity: Proactive SecuritySecurity: Risk and RewardSecurity: Tips From Security ProsSouped-up SecurityStorage: Battling ComplexityStorage: Cheap & Secure Data StoresStorage: Stretching Your Storage DollarsStorage: The Lean Storage MachineStorage: The New Rules of StorageStorage: The Ultimate Backup GuideSupply Chain: Missing LinksSupply Chain: RFID Reality CheckThe Business of SecurityWeb 2.0 SecurityWireless: Wireless At Work All Zones Application Performance Zone Enterprise-Class Security Zone Enterprise Solutions Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone The Data Center Management Zone See your link here

Computerworld Report: Virtual Reality Download this Computerworld Report, free for a limited time, compliments of HP. (Source: Computerworld) The data center is real, but storage is turning virtual at many organizations that need to manage exploding storage needs. Learn how virtualizing your enterprise will save you money in this Computerworld Report, a $49.95 value, available free for a limited time, compliments of HP. Download this executive briefing  Virtualization Everywhere Download this white paper, free, compliments of Citrix. (Source: Citrix) Adoption of virtualization is concentrated among large enterprises, while adoption by mid-sized companies has been much slower. For these companies, the cost and complexity of server virtualization solutions has been a barrier. In this paper, we'll discuss how Citrix XenServer" provides simple, economical server virtualization for any size company. Download now! Download this white paper  Long Tail Supplier Collaboration - What's In It For You? Long Tail Supplier Collaboration - What's In It For You? Download this webcast, free, compliments of Sterling Commerce Go to the webcast  White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. Discover the Secret to Secure Remote Access: GoToMyPC Corporate Security White Paper Spam Spikes: A Real Risk to Your Business Six Support Issues That Keep Execs Awake at Night View more whitepapers

• HP confirms XP SP3 endless reboot snafu, promises patch
• Yahoo tells Icahn that its own board knows best
• Tools circulate that crack Debian, Ubuntu keys
• More top stories 

Computerworld Executive Briefing: Automating Network Management IThis briefing looks at the basics of network management, which tend to get lost in the dizzying array of products and processes. It also examines new tools that are on the way to help IT executives deal with management in the new era of automation. Download this Executive Briefing now (a $195.00 value), compliments of ProCurve Networking by HP.



XenServer FREE trial Citrix XenServer is the simplest and most effective way to virtualize and provision servers. XenServer combines comprehensive server virtualization capabilities with unparalleled scalability, performance, economics, and ease-of-use. Based on the open source Xen hypervisor, XenServer delivers fast performance, easy management, and advanced features such as live migration. Request free trial now