Five Steps To WLAN Security -- A Layered Approach

Computerworld - Editor's note: This column is a follow-up to an earlier article titled: Securing the Air: Recognizing Risk in Wireless.

The mobility and productivity benefits of 802.11 wireless LANs don't have to put your information assets at risk. While the attention on the pitfalls of WLANs has inspired some enterprises to ban WLANs altogether, many security-conscious enterprises are confidently deploying secure WLANs by implementing the following practical steps to protect their information assets, identify vulnerabilities and protect the network from wireless-specific attacks. We call this a layered approach to security.

1. Discovery and Mitigation of Rogue WLANs and Vulnerabilities
   The basis for all WLAN security should start by understanding the environment in which your WLAN operates.
   
   Unauthorized "rogue" WLANs -- including access points, soft access points (laptops acting as access points), user stations, wireless bar code scanners and printers -- represent one of the biggest threats to enterprise network security by creating an open entry point to the enterprise network that bypasses all existing security measures.
   
   Because a simple WLAN can be easily installed by attaching a $50 access point to a wired network and a $40 WLAN card to a laptop, employees are deploying unauthorized WLANs even when IT departments are slow to adopt the new technology or even opposed to it. These rogue access points generally lack standard security and thus circumvent an enterprise's investment in network security.
   
   Insecure wireless user stations such as laptops pose an even greater risk to the security of the enterprise network than rogue access points. The default configuration of these devices offer little security and can be easily misconfigured. Intruders can use any insecure wireless station as a launch pad to breach the network.
   
   The same insecurity can come from network vulnerabilities originating from improperly configured WLANs. Neighboring WLANs located in the same vicinity as your WLAN also pose risks of the neighboring stations accessing your network and interfering on wireless channels.
   
   Freeware, such as NetStumbler and Kismet, and other commercial scanners can survey the airwaves for rogue access points and some network vulnerabilities. A time-consuming effort, this process requires a network administrator to physically walk through the WLAN coverage area looking for wireless data and is limited in effectiveness because it only samples the airwaves for existing threats.
   
   New rogue access points and other vulnerabilities can arise after a scan and will not be detected until the next time a network administrator surveys the network. John Girard, the leading authority in wireless security at Gartner Inc., stated at a security conference in Europe that the least effective way to achieving this is to buy a handheld "sniffer" and patrol the perimeter of the organization's network.
   
   According to wireless security experts, discovery of rogue access points, stations and vulnerabilities is best accomplished with 24/7 monitoring of the WLAN. Continuous monitoring will identify when and where the rogue first appeared, who it connected to, how much data was exchanged and the direction of traffic in real time. Girard further commented that the most secure method is to install a separate set of wireless intrusion-detection sensors.



2. Lock Down All Access Points and Devices
   The next step of WLAN security involves perimeter control for the WLAN. Each wireless-equipped laptop should be secured by deploying a personal agent that can alert the enterprise and user of all security vulnerabilities and enforce conformance to enterprise policies. Organizations should deploy enterprise-class access points that offer advanced security and management capabilities.
   
   Enterprises should change the default Service Set Identifiers, which are essentially the names of each access point. Cisco access points come with the default SSID of "tsunami," Linksys defaults to "linksys," and both Intel and Symbol access points default to "101." These default SSIDs alert hackers to vulnerable WLANs.
   
   The SSIDs should be changed to names that are meaningless to outsiders. An SSID of "CEO Office" or "East Cash Register" only calls attention to valuable information that a hacker would like to get into.
   
   Enterprises should also configure access points to disable the broadcast mode where the access point constantly broadcasts its SSID as a beacon in search for stations with which to connect. By turning this default feature off, stations must know the SSID in order to connect to the access point.
   
   Most enterprise-class access points allow you to limit which stations can connect to it based on filtering of media access control addresses of authorized stations. While this is not foolproof, MAC address filtering provides basic control over which stations can connect to your network. Larger enterprises with more complex WLANs that allow hundreds of stations to roam between access points may require more complex filtering from remote authentication dial-in service (RADIUS) servers.
   
   To eliminate the threat of intruders connecting to your WLAN from the parking lot or the floor above you where connection speeds will be greatly reduced, access points should be configured to not allow the slower connection speeds.




3. Encryption and Authentication -- VPN
   Encryption and authentication provide the core of security for WLANs. However, fail-proof encryption and authentication standards have yet to be implemented.
   
   In 2001, researchers and hackers demonstrated their ability to crack Wired Equivalency Policy (WEP), the standard encryption for 802.11 WLANs. Soon after, hackers published freeware tools, such as WEPCrack, that allow anyone to crack the encryption after observing enough traffic over the network to figure out the encryption "key."
   
   After reports showed the vulnerability of WEP and standard authentication, many enterprises were discouraged from implementing WEP into their WLAN deployments, which left their networks totally exposed.
   
   Because these encryption and authentication standards are vulnerable, stronger encryption and authentication methods should be deployed to more completely secure a WLAN with wireless virtual private networks and RADIUS servers.
   
   VPNs can employ strong authentication and encryption mechanisms between the access points and the network, and RADIUS systems can be used to manage authentication, accounting and access to network resources.
   
   While VPNs are touted as a secure solution for WLANs, one-way authentication VPNs are still vulnerable to exploitation. Deployment of WLANs in large organizations can create a nightmare of distributing and maintaining client software to all clients. One-way authentication VPNs are also vulnerable to man-in-the-middle attacks and a number of other known attacks. Mutual authentication wireless VPNs offer strong authentication and overcome weaknesses in WEP.
   
   Despite these vulnerabilities, encryption and authentication remain essential elements of WLAN security.



4. Set and Enforce WLAN Policies
   Every enterprise network needs a policy for usage and security. WLANs are no different. While policies will vary based on individual security and management requirements of each WLAN, a thorough policy -- and enforcement of the policy -- can protect an enterprise from unnecessary security breaches and performance degradation.
   
   WLAN policies should begin with the basics of forbidding unauthorized access points and ad hoc networks that can circumvent network security. Because many security features, such as the use of WEP or VPNs and open broadcast of SSIDs, are controlled on the access points and stations, policies should be in place to forbid the reconfiguration of access points and WLAN cards to alter these features.
   
   WLAN security is greatly increased with policies that limit WLAN traffic to operate on set channels, at connection speeds of 5.5Mbit/sec. and 11Mbit/sec., and only during select hours. By establishing a set channel for each access point, all traffic on the other channels can be identified as suspicious activities.
   
   A policy that all stations connect at the higher speeds protects a WLAN from intruders in the parking lot or neighboring office who are likely too far away to connect at 5.5Mbit/sec. and 11Mbit/sec. A policy that limits WLAN traffic to select hours of operation protects a network from late-night attacks of an intruder in the parking lot connecting to the network or an unscrupulous employee sending sensitive files from the wired network to a wireless network while no one else is around.
   
   Although policies are necessary, they can be useless paperweights without enforcement. Similar to the effective discovery of network vulnerabilities, policy enforcement requires 24/7 monitoring of a WLAN.



5. Intrusion Detection and Protection
   Security mangers rely on intrusion-detection and -protection to ensure that all components of WLANs are secure and protected from wireless threats and attacks. While many organizations have already deployed intrusion-detection systems for their wired networks, only a WLAN-focused IDS can protect your network from attacks in the airwaves before the traffic reaches the wired network.
   
   The most advanced wireless IDS involves the real-time monitoring of 802.11a/b/g protocols. By continuous monitoring of all WLAN attack signatures, protocol analysis, statistical anomaly and policy violations, organizations are able to detect attacks against the WLAN, including identity thefts from MAC spoofing, man-in-the-middle and denial-of-service attacks, and anomalous traffic from unusual off-hours activity or large downloads.