Although all wireless access points have unique interfaces, they share common functions and processes that can be hardened . This section focuses on what you can do to harden the WAP itself. We will look at the following hardening steps:
Hardening remote administration
Configuring the Service Set Identifier (SSID)
Configuring wireless mode
It would be impossible to detail the procedures for hardening every type of wireless access point manufactured; therefore, I will illustrate the specific hardening steps for the following WAPs:
Cisco Aironet 1200 running IOS version 12.2(13)JA2
Linksys WAP54G running firmware version 2.06
Dell TrueMobile 2300 running firmware version 188.8.131.52 in access point mode
Many of the configuration changes you make to the Dell TrueMobile 2300 require a restart before they take effect. This can make it difficult to make changes during production hours or while clients are connected to the WAP.
The instructions in this chapter assume that you have configured the device with an IP address that is relevant for your network and that you have already connected to the respective web-based management GUI and successfully logged on. In addition, the screen references refer to the menus you would need to click to access the given screen. For example, go to the Security Admin Access screen means that you must click the Security menu and then the Admin Access menu to be presented with the screen in question.
Like all our network devices, we should secure our WAPs against unauthorized remote administration. Unfortunately, unlike many network devices, virtually all WAPs fail miserably at providing secure remote administration. This is due to most of them providing only an unencrypted management protocol such as Telnet or HTTP for connecting to the device. Even with that gross oversight in security, certain steps can be taken to harden remote administration. The most important task is to change the default administrative username and to implement passwords that conform to your password security policy.
The Cisco Aironet 1200 implements a full IOS feature set. Consequently, it can be hardened for remote access by requiring all CLI connections to use SSH, as you do for your Cisco routers (refer to Chapter 6). In addition, out of the box the Cisco Aironet 1200 uses the default authentication mechanism of a global password (enable secret). You can change the password at the Security Admin Access screen, as shown next . I recommend that you use an authentication server, where possible, and individual local users if an authentication server is not an option. By default, the WAP ships with a default username of Cisco and a default global password of Cisco. You should change both of these as well. Click Apply in each section when you are finished.
If you want to use an authentication server, you must first configure the WAP to use a RADIUS or TACACS+ server at the Security Server Manager screen in the Corporate Servers section, as shown next. Make sure you scroll down to the Default Server Priorities section and select the newly added authentication server for the Admin Authentication setting. When you are finished, click Apply.
The Linksys WAP54G does not implement username and password security. Instead, it uses a password only. You can configure the password at the Setup Password screen, as shown here. When you are finished, click Save Settings.
The Dell TrueMobile 2300 utilizes both a username and password. By default, the username is admin. You should change both the username and password according to your security policy. This can be done at the Advanced Settings Administration Settings screen, as shown next. When you are finished, click Submit.
The system administration section shown here is used when the WAP is operating in router mode. The settings allow you to permit an external host (that is, across the Internet) to be able to make remote administration connections to the WAP. You should never enable this functionality because Dell does not support HTTPS for remote administration connections.
The service set identifier (SSID) is a unique identifier used in the packet header of wireless packets as a password for authenticating the client. The SSID is also known as the network name . By default, most WAPs will broadcast the SSID so that wireless clients can identify the WAP to which they should connect. This creates an obvious security vulnerability, however, because anyone with a wireless client can immediately determine a WAP is in the area by using a tool such as NetStumbler.
To address this issue, it is recommended that you disable the SSID broadcast.
In my experience, I have found that some wireless clients will not connect to a WAP that is not broadcasting the SSID. This is particularly true of Microsoft PocketPC 2003 devices using the SanDisk SDIO WiFi NIC (or any other NIC based on the Socket chipset and driver). I have, as of yet, been unable to determine why this is, though my suspicion is that it's due primarily to the immaturity of the SDIO cards and drivers.
Another problem with the SSID is that many people configure it with a value that makes it easy to locate where the WAP is physically located. This is both good and bad. It is good in the sense that it allows you to quickly identify where a WAP is. It is bad, however, in that it can let hackers know that they have connected to a WAP at their target company. As a result, when you configure the SSID, you should never include any information that might identify your company, location, or brand of WAP.
The last aspect of SSID hardening you should configure is the beacon interval , which is the amount of time that transpires before the WAP advertises the SSID via broadcast. By setting the beacon interval to its maximum setting, you increase the difficulty of performing passive scanning. It is important to understand that disabling SSID broadcast or increasing the SSID beacon interval is not an end-all security solution. In fact, Microsoft claims that this is not a security measure at all. This is due to the fact that even if the SSID is not broadcast, it can still be determined if someone is using a sniffer in the area where a WAP is in operation. Changing these settings is still an effective method of obscuring your WAP from casual threats, however. All these SSID settings can be configured as follows .
The Cisco Aironet 1200 uses a default SSID of tsunami in what is called guest mode , which means the SSID is broadcast in the beacon. The default SSID should be removed and replaced with a new one for your environment. This can be done at the Security SSID Manager screen shown next. If you want to make sure the SSID is not broadcast, ensure that no SSID is configured in the Guest Mode field in the Global Radio0-802.11B SSID Properties section of the SSID Manager screen. When you are finished, click Apply.
For the Linksys WAP54G, you can configure the SSID at the Setup Basic Setup screen, shown next. When you are finished, click Save Settings.
The beacon interval can be configured at the Advanced Advanced Wireless screen, shown next. When you are finished, click Save Settings.
For the Dell TrueMobile 2300, you can configure the SSID and the beacon interval at the Advanced Setting Advanced Wireless screen, as shown next. To turn off the SSID broadcast, check the box labeled Hide My Wireless Network. When you are finished, click Submit.
Like with your firewalls, it can be extremely beneficial to configure your WAP for logging. The objective is for the logging to show you what is going on with the WAP, particularly in regard to unauthorized access attempts. Cisco and Linksys support conventional syslog. Dell does not support any logging facility.
For the Cisco Aironet 1200, you can configure logging to a syslog server at the Event Log Notification Options screen, shown next.
For the Linksys WAP54G, you can configure logging at the Setup Log screen, shown next. Simple enable logging and enter the syslog server to which events should be sent. When you are finished, click Save Settings.
Not many services need to be hardened for most WAPs, with the notable exception of Cisco. The most common services you might run across are as follows:
Simple Network Management Protocol (SNMP)
Network Time Protocol (NTP)
Dynamic Host Configuration Protocol (DHCP)
Cisco and Linksys support using SNMP for management of the WAP; however, neither supports using SNMPv3. Also, both SNMPv1 and SNMPv2 have no security features. Therefore, if you do not need SNMP, you should disable it.
By default, the Cisco Aironet 1200 ships with SNMP disabled. However, you can enable this service at the Services SNMP screen.
You can configure SNMP support for the Linksys WAP54G at the Advanced SNMP screen, shown next. Simply enable SNMP, specify a read-only and a read-write community string, and enter the appropriate information in the identification fields. When you are finished, click Save Settings.
Because the Linksys WAP54G displays the SNMP community strings in clear text, you should ensure that no one is looking over your shoulder while you are at this screen.
The Cisco Aironet 1200 supports the use of NTP primarily to facilitate accurate timestamps for the syslog facility. You can configure NTP at the Services NTP screen, shown next.
Because the Dell TrueMobile 2300 is sold as a SOHO wireless access router, it is shipped with a DHCP server configured and active by default. You should disable DHCP at the Advanced Settings DHCP Server Settings screen by unchecking Enable DHCP Server Functions and then clicking Submit.
In addition to the previously mentioned services, the Cisco Aironet 1200 ships with a whole slew of additional services you need to be aware of. They can all be accessed at the Services screen, as shown next (in this case, the screen shows the default status of all the services after I disabled Telnet and permitted only SSH access, as previously recommended).
As you can see, many of the services are disabled by default. In general, you should disable any service you do not need. The Cisco Discovery Protocol (CDP) and Domain Name Service (DNS) are two specific services you should consider configuring.
Cisco Discovery Protocol As previously discussed, CDP is used by Cisco to locate other Cisco devices. Unless you are using a network management system that takes advantage of CDP, you should disable it. If you do require CDP, you should consider whether you need the CDP broadcasts to be sent over the WLAN. If you do not, you should disable CDP on the Radio0-802.11B radio, as shown next. Click Apply when you are finished.
Domain Name Service DNS is used to allow the WAP to resolve names to IP addresses. It does not allow the WAP to operate as a DNS server. DNS is largely a service of convenience, allowing you to enter device names at various fields so that the WAP can automatically resolve and convert those names to IP addresses. Like all services, however, if you do not require this functionality, you should disable it. Remember, any running service is potentially vulnerable to current exploits as well as unknown future exploits.
Many WAPs support operating in 802.11a, 802.11b, 802.11g, or any combination thereof. If you do not need to support multiple wireless access modes, you should disable any unnecessary ones. For example, if you only need to support 802.11b in your environment, you should disable 802.11a and 802.11g. This will ensure that only individuals using the wireless mode you have defined have any chance of connecting to your environment.
The Cisco Aironet 1200 supports using multiple wireless modes through the implementation of multiple physical radio modules.
You can configure the wireless mode on the Linksys WAP54G at the Setup Basic Setup screen, shown next. Simply select the access mode you want to use, or select Mixed to support both. Click Save Settings when you are finished.
You can configure the wireless mode on the Dell TrueMobile 2300 at the Advanced Settings Advanced Wireless screen, shown next. Simply select the wireless mode from the drop-down selection and click Submit.
One of the most valuable hardening steps you can undertake with your WAP is to implement MAC address filtering. MAC address filtering enables you to specify the MAC addresses that will be allowed to connect to the WAP. At that point, even if someone manages to obtain all the information necessary to connect to the WAP, if their MAC address is not permitted, they still cannot connect. The drawback to this method, however, is that it may require significant overhead for managing all the MAC addresses that may need to be permitted. In addition, MAC addresses can be spoofed, so it is not a panacea but rather another component of the hardening process.
The Cisco Aironet 1200 uses the well-documented Cisco access-list function to restrict/permit clients from establishing an association with the WAP. The first step is to build the access list. You can do this at the Services Filters screen by selecting the MAC Address Filters tab, shown next.
Enter the appropriate filter index (ACL number) for the MAC address filter. Next, enter the MAC address you want to specify and a wildcard mask. Keep in mind that for Cisco, a value of 0 in the mask means that the corresponding bit in the MAC address must precisely match the filter entry. A value of H in the mask means that the corresponding bit in the MAC address is ignored for the purposes of filtering. This can be used, for example, to grant all of a certain vendor s MAC addresses. Once you have entered this information, the next step is to decide whether the MAC address will be forwarded or blocked. My recommendation is to make the default action Block All and then configure a Forward action for the MAC addresses you explicitly want to forward. When you are finished, click Apply.
The next step is to apply that ACL to the WAP. You can do this at the Security Advanced Security screen by clicking the Association Access List tab, shown next. Select the filter from the drop-down list and then click Apply.
Once you have implemented this procedure on your Cisco Aironet 1200, you may find that wireless clients that are not permitted by the ACL still appear to associate with the WAP. Appearances are deceiving, however, because these wireless clients are unable to send and receive any data through the WAP.
You can enable MAC address filtering on the Linksys WAP54G at the Advanced Filters screen, shown next. Simply select Enable from the drop-down box and specify how you want to perform the filtering. You can either filter to prevent the listed MAC addresses from being able to connect or to permit the listed MAC addresses to be able to connect. I recommend the latter in most circumstances, because it is generally easier to figure out who you want to allow to connect, as opposed to figuring out who you want to prevent. You can filter up to 40 MAC addresses by using the drop-down box to select MAC 21-40. When you have finished entering the MAC addresses to filter, click Save Settings.
The Dell TrueMobile 2300 uses a simplified MAC filtering process. You simply enter the MAC addresses you want to permit to connect. This is done at the Advanced Settings Access Control Settings screen, shown next. Check the box Enable MAC Access Control and then add the MAC addresses you want to permit. When you are finished, click Submit.