Wireless networking is an extremely useful technology that carries with it numerous security concerns. There have been more failures than successes when it comes to designing secure wireless networking solutions for the average organization. Historically, most wireless products have failed in their implementation of encryption, access authorization, and the general ability to protect networks and communications. The Security of WirelessThe idea of securing wireless communications is similar to that of securing Internet VPN sessions. Mostly, we rely on various forms of encryption for privacy, and hopefully, strong authentication mechanisms like one-time passwords and digital signatures. A common problem is that organizations tend to treat wireless access the same as if they were plugging directly into a switch when it should actually be treated like a dial-in modem. The Reality of Wireless SecurityWireless communications pose several major security issues that undermine some fundamental concepts of security. This is not to say that wireless communications should not be used, but it is important to maintain the proper perspective on the risks being taken:
Important MisconceptionsWhen discussing wireless security, I commonly find clients that have similar misconceptions about wireless security. These misconceptions lead many organizations into a false sense of security when working with wireless security products.
If we really look at it, wireless makes it difficult to work with the Rule of Least Privilege. A person walking down the street does not need to be given an access point into a network, and they should never be presented with one. However, with wireless networking, it is impossible to control who will be presented with a door into the network. Using Wireless SecurelyAm I saying that we should not use wireless communications? Not at all. It is, however, important to use a high degree of caution when implementing wireless networks. It is necessary to classify wireless access points with a higher risk level than most organizations have. Zoning and the Rule of Least PrivilegeA wireless access point should be considered the same as an Internet connection or dial-up service. We have absolutely no control over who is going to be presented a front door, and as such, the wireless access point is outside the perimeter. Regardless of what level of security is implemented on wireless devices, access points should be separated from the internal network. Traffic flowing from the wireless network into the internal network should be regulated by a firewall and conform to the Rule of Least Privilege, similar to other foreign connections (see Figure 10.1). Wireless network users should not be given free reign as they would with a LAN, but rather, they should be limited to accessing required systems and services. When installing a wireless device, look back to the section on zoning and consider the wireless access point with the same caution as you would an Internet or dial-up access point. It is a bad security practice to place a wireless concentrator in the middle of an internal network, even if the device comes with strong security controls. Figure 10.1. Zoning wireless devices.Layering SecuritySecurity should be layered in the area between the wireless network and the internal network. Most wireless devices come with some form of integrated access control and logging capabilities similar to an external router. These features should be used as the first line of defense, much like a screening router. A firewall can then act as the middle layer of protection. By layering security, we avoid having the network directly exposed, and we ensure that adequate protection is in place if and when a vulnerability is discovered on a wireless device. Large-Scale Wireless DeploymentsMany organizations have chosen to deploy large-scale wireless networks, connecting hundreds of LAN devices as well as buildings and distant WANs. For these organizations, it may be difficult to follow these wireless security practices on each and every network. Placing hundreds of workstations outside the perimeter and limiting access to all of them may not be a viable solution. If the business need for hosting such wireless environments outweighs the major security issues, this is just considered an acceptable risk for the organization. In such cases, it is important for the organization to recognize and document this risk, and to make the major security implications of this decision clear to management and executive staff. |