Preface | Wireless Operational Security

Over the last couple of years , things have become very ugly in cyberspace . The types of threats that innocent, unsuspecting users face in this hostile environment have caused both individual and organizational users to take (sometimes) drastic measures to protect their data and equipment. It is a sad testament to what was once touted as an information tool for everyone. The Internet has certainly become more approachable, friendly, and easy to use, but at a high cost in terms of an endless barrage of advertising, virus outbreaks, Trojans that can be distributed in the blink of an eye, and now, the most damaging of all, a blended attack that incorporates the worst of all these elements into an orchestrated, often distributed, malicious attack. Evil things lurk in cyberspace, predators that lie in wait hoping to pounce on the unsuspecting victim.

Our ever-growing reliance on mobile technology is not going to change. If anything, it will continue to increase for some time to come. Unfortunately, as new devices appear, new threats also appear almost as quickly. Today's mobile computing champions of industry must be well armed to defend themselves against this endless attack scenario. The best weapon, of course, is knowledge coupled with preparation. This book attempts to educate readers about the security risks faced in both a wireless and wired environment and to show them how to defend against such threats. It is our aim to provide the reader with enough knowledge of the problem, enough understanding of why it exists, and enough knowledge of how to cope with it with confidence. Of course, we do not expect to convert our readers into security evangelists overnight ”that would call for skimming, and we would prefer that the book get a good read from everyone who buys a copy.

We tried to be logical about how to best arm our readers with such knowledge. We decided to divide this book into two sections. In the first section, Chapters 1 through 6, we describe the basic concepts of security that are common to both wired and wireless environments. A solid foundation of security is presented before we move into the specifics of wireless operations in the latter part of the book. Chapter 1 builds the business case and need for operational security by defining the threat and business regulatory requirements.

In Chapter 2, we describe the essential elements every security administrator needs to know about access control and management of passwords. In this chapter, we explore the major building blocks that comprise the field of access control as it applies to organizational entities and the information systems these entities are trying to protect from compromising situations. The operational elements of password risk, management, and control are provided in a practical and useful manner.

Chapter 3 provides the reader with a strong foundation of information assurance through the description of a Defense-in-Depth strategy that includes security architecture and infrastructure design, best practices, and operational management. As a basic part of the defensive strategy required in today's cyberworld, host-based and network-based intrusion detection methodologies and technologies are described.

Chapter 4 covers the various methodologies and operational considerations for handling incidents, to include forensic, material and data handling, and procedural investigation requirements. From an operational perspective, the organization, responsibilities, and required stages of response are also provided. The readers will learn what is necessary for the composition and management of an incident response team and what expectations they should have of their work. We also discuss how to counter cyberattacks and show you some real-world examples of the impact failing to do so can have on enterprises .

Chapter 5 provides an important presentation of the reasons it is necessary to secure Web applications and how to correctly do so without imposing greater risk on the organization. We describe how the failure to implement proper security measures will leave an organization vulnerable to many security threats. We show how leaving a Web site open to compromise can allow hackers to use that compromised site as a portal for intrusions into an organization's internal networks to illegally gain access to private, proprietary information. Most importantly, we stress the fact that an organization can face huge business losses or be subjected to severe legal action if an intruder successfully violates the confidentiality of customer data.

The description of applications development security found herein is intended to help the reader understand the basic security structures and controls that are incorporated into systems and applications. It also shows how security controls are structured and used in the software development process. This section presents basic concepts that are used to ensure data confidentiality, integrity, and availability during the applications development process. An overview and the implications of the application security standardization and OSI-layer protocols are provided, along with various useful application security techniques.

Chapter 6 covers security and the law, with an overview of some recently passed government statutory requirements that have far-reaching effects into every part of our network infrastructures and practices. We make the point that laws have been enacted to protect privacy, infrastructure, people, companies, and just about anything that uses a computer or any form of computer technology. We also provide some discussion of the most significant of these laws and how they affect corporate operations.

In the second section of this book, Chapters 7 through 12, we build on the foundation of security understanding gained from the first section of the book. The reader is now well prepared to tackle the concepts of security as they relate specifically to operations in a wireless environment. It is important to note that all security concepts learned in wired environments up to this point are equally applicable in the wireless environment.

Chapter 7 starts with a discussion of wireless networking basics, to include how LANs and WLANs work, coexist, and interoperate . We also point out the differences between the two environments in this chapter. We discuss the varying wireless standards that exist today and look at some future standards. Mobile security is covered in fairly extensive detail and is particularly relevant because the workforce of today is constantly traveling. Mobile security also requires encryption to work, so the various encryption standards in use today are covered along with an explanation of the strengths and weaknesses of each. All in all, this chapter will provide the reader with a fundamental grasp of the essentials of wireless networking.

Chapter 8 covers the development, management, and enforcement of security policies within the wired-wireless LAN environment. This policy information is based on real-world challenges and policy needs. It is immediately useful to those practitioners who need wired-wireless LAN policies or have policies that are in need of a rewrite in order to support converged network environments. Risk analysis and its effect on wireless network architecture and design is also covered in this chapter. Both topics are then pulled together for a basic discussion of wireless security design parameters and how templates can be used as part of your risk management program.

Chapter 9 provides a detailed overview of the technical capabilities and limitations of a potential unauthorized intruder in order to ensure that the reader understands how security measures can withstand a hacker's attempts to breach them. We stress that in order to effectively defend your organization against security risks, it is important to know not only the tools and techniques that exist in your own environment, but also the tools and techniques that can and will be used by a potential adversary.

Once the reader has learned the tools and techniques of the potential adversary, Chapter 10 talks about the tools and techniques necessary to protect your network against cyberadversaries using the various methods described in the previous chapter. This information, we believe, will help the reader close any gaps in understanding WLAN adversaries. By enabling the reader to " know the enemy and know yourself ," as advocated in the Art of War written by Sun Tzu so many years ago, we feel the overall security posture will be enhanced.

Chapter 11 deals with various topics we feel are crucial to WLAN security and are deserving of special attention. Each topic has a useful and unique approach to WLAN security and merits coverage in this text. The subjects in this chapter are unrelated to each other, or to other categories, which is why they are covered as "additional" security solutions. Included herein are discussions about Intrusion Detection Systems, thin client network models, using DHCP for authentication, network traffic baselining, Kerberos, RADIUS, LDAP, and some other need-to-know-about emerging standards; each of these technologies offers additional layers of security to WLANs.

Chapter 12 presents a new model developed by Ph.D. candidate James Ransome as part of his doctoral research and is known as the Wireless Secure Data Options Model (WISDOM). WISDOM provides for threetiered security options with proper hardware, software, and security requirements delineated to secure a WLAN at a corresponding security level equivalent to the wired network it connects with. We provide some additional worksheets to supplement WISDOM and have presented them in this chapter as a baseline for the reader's future use in wireless LAN security architecture design. Ransome identifies the 802.11 wireless LAN as the most vulnerable and critical node in wireless converged network security architecture. WISDOM fills the significant need for a comprehensive network security methodology that integrates wired and wireless technologies and addresses the characteristics and security requirements of these converged technologies.

Appendix A provides some sample wired-wireless security LAN-related policies related to both Chapter 8 and topics covered throughout the book. All of these policies are based on real-world challenges and needs, and we provide both templates and fully usable policies for use by the reader/practitioner. Appendices B and C provide useful legislative and other WLAN security- related links for use in the day-to-day activities of the wireless security practitioner. The glossary provides a comprehensive, useful list of terms used in the wireless security world. We hope you find this book useful in your day-to-day activities mitigating risk across cyberspace.

As an added feature, we have invited David D. Croston to add a few comments of his own to this preface. David D. Croston is the managing partner of the PKI Group, LLP. The PKI Group is one of a handful of premier -class advisors to enterprise and government on Public Key Infrastructure (PKI) and the crossover discipline of Identity Management. David is widely recognized for his leadership in digital security innovation, in the development of life cycle management tools for digital certificates, and simplifying the management of PKI rollouts. Until its sale in 2000, David was founder, president, and CEO of mVPN, LLC, a Cisco partner company, which developed access control and digital certificate management tools for enterprise-grade remote access solutions. Before forming these companies, David was the director of the science and technology group of the Rhode Island Economic Development Corporation. David is the founder of the Rhode Island Technology Association, the Rhode Island Investment Forum, and he helped manage the state of Rhode Island's Samuel Slater Technology Fund.

Wireless Operational Security is a comprehensive resource for anyone managing or planning a wireless network. This is not just a tech book; it has incredibly valuable resources for everyone within the enterprise environment. Rittinghouse and Ransome have done a tremendous job in educating the reader in common language, explaining the technology and its security risks, advising the reader on ways to avoid these risks, and developing the wireless security blueprint for enterprises large and small. They also give the reader a bonus: the first look at Ransome's WISDOM security methodology. Wireless Operational Security is equally valuable as a resource for policy developers, legal compliance teams , and senior operations staff, and should be recommended reading ”after you have read the book and implemented its recommendations!

Wireless networking is soaring! As I type this on an integrated laptop linked to an 802.11g network with my Good wireless device harnessed at my belt line, I almost forget the ancient days of Ethernet cabling. The benefits of wireless technology over conventional wired LANs are as clear as they are numerous . For one, wireless technology eliminates the cabling headaches of setting up a network. With wireless-enabled mobile computers, workers can remain connected to the network, whether in their office, in a conference room, or on the road. As enterprises extend the LAN, they also extend exponentially the security risk of potential compromise. Rittinghouse and Ransome provide an excellent review of the threats, detail the ineffectiveness of certain security methods, and provide clear and concise solutions to securing the wireless network.

The economics of wireless networking dictate greater change, advancement in technology, and ultimately the wireless office. Today, airline maintenance engineers access parts diagrams wirelessly from the repair hangar, not just from their network but directly from the parts manufacturer. This connected framework is our future, and each node needs to bring a level of security assurance so aptly outlined by Rittinghouse and Ransome.

The PKI Group was honored to conduct the efficacy testing for the WISDOM security model. Our testing supported the findings of Ransome and developed a scoring system for enterprise compliance. WISDOM's step-by-step approach will assist in assessing the security of your network, large or small, and it will provide an intuitive guide to implementing stronger security controls. Reading Wireless Operational Security is the beginning of a solid WLAN Security Plan.

David D. Croston
Managing partner, PKI Group, LLC
November 2003