Deploying a Secure WLAN

Concerns about network security can place so many roadblocks in a project's path that management can feel that the WLAN project is spiraling out of control. This can result in shelving the project altogether, as might be the case when there are concerns over compromised data. Some of the issues raised will be a one-in-a-million chance of a security violation. But the solutions to such unlikely events can also:

• Dramatically raise the cost of the WLAN project.

• Create a network that can't deliver a satisfactory data throughput speed.

• Lessen end-users' ease of access.

So it must be decided what informed risks the organization is willing to take.

Also, bear in mind that when any multi-level security program is implemented, it typically restricts user access to certain network assets. While this may be necessary to keep intruders at bay, it may also restrict the organization's normal work processes.

Therefore, when developing a security plan, take the time and effort to determine which security procedures are being implemented to address risk management, and which are due to risk-aversion.

That's where a sound security plan comes into play. A good, well thought out security plan can help your organization to avoid excessive risk aversion behavior, create a credible network security environment, and even to create a wider range of sound strategic security options for the future. Furthermore, as you dig into all aspects of network security, you will find that many of the numerous security measures that can and should be implemented take place on the human level, not the hardware or software level.

For example, it's the Wi-Fi-enabled computing devices that are brought in through the back door, without the IT unit's knowledge, that provide the most serious security threat. That's because these wireless devices are often plugged directly into an organization's network and transmit sensitive data that can be easily picked up by a snoop using freeware hacking tools and an inexpensive wireless NIC. Malicious or not, unauthorized access to an organization's network, wired or wireless, is never welcome. Hacking and eavesdropping are easy forms of industrial espionage. A rogue wireless set-up can do great harm. Sophisticated eavesdroppers aren't even required to be near the premises—long-range antennae can pick up wireless signals from hundreds or even thousands of feet/meters away.

A Wireless Policy

Industry experts estimate that most organizations with more than 50 employees probably have one or more rogue access points on their premise. Uncontrolled wireless access means hackers can read corporate email, sniff for super-user accounts and passwords, gain root or administrative access, drop in Trojan horses (hidden executable programs) for remote monitoring, and open back doors into an unprotected network. A good security policy could help ease this situation.

In fact, when drafting a security plan, crafting a wireless policy should be at the top of your "to do" list. To protect an organization's networks from unauthorized access, an organization should adopt policies that, on one hand, welcome wireless technology, and on the other hand, protect the organization's networks. This requires (1) putting in place a written, well-publicized corporate wireless policy, and (2) training IT personnel in how to hunt down unauthorized installations.

A wireless policy should include, but not be limited to, the following elements:

• An agreement that is executed by each and every employee which states that they will not provide (intentionally or unintentionally) WLAN configuration information to outsiders, or construct an ad hoc network.

• A requirement that all WLAN users must be trained on the ins and outs of wireless networking. For example, most employees with wireless laptops don't realize their wireless PC card can remain active when they're not transmitting or receiving data. This means an attacker could use that active link to perform a number of nefarious deeds. User training must take into account everything from serious security issues to the more mundane idea of teaching employees that moving their wireless computing device a few inches can improve throughput drastically.

• A requirement that the organization's IT department must approve, in writing, the use of any Wi-Fi-enabled device, and the department must keep a record of all wireless devices with information concerning their NICs and the attendant APs.

• An acknowledgement that the IT department is the only department authorized to select, standardize, and approve wireless security configurations.

• An acknowledgement that the employees understand what can and can't be downloaded to a mobile computing device. (Of course, this requires that the organization set out a clear policy on what can and cannot be downloaded via a wireless connection.)

• A requirement that all wireless devices must pass a security audit before they can be approved for use. The audit should include determining if the promiscuous broadcasting of MAC addresses is turned off, and Wired Equivalent Privacy (WEP) is enabled.

• A requirement that SSIDs and passwords are to be regularly exchanged for new designations (using randomly generated alphanumeric codes).

• A requirement that the IT department perform scans, at least once every two months, for rogue wireless devices.

A wireless policy, while important, is only one in a series of steps that should be taken to help secure the data that traverses the WLAN.

Minimum Security Procedures

The next step in provisioning a good wireless security plan is implementing some basic network security procedures. Let's look at some important minimal security steps that can ensure that the organization's communications are secure as they travel the airwaves:

• Evaluate the organization's wired LAN security policies to determine how to extend them to the WLAN.

• Know the WLAN's vulnerabilities and do what you can to mitigate them. (Some who deploy a WLAN will put little effort into securing their WLAN, because in their view the data that is transmitted through the WLAN has little or no value to others apart from the network's end-users.)

• Take a complete inventory of all access points and Wi-Fi devices.

• Perform a risk assessment to understand the value of the assets in the organization that need protection.

• Consider standardizing on a single vendor's products.

• Prior to purchasing any wireless gear, ensure that the vendor provides firmware upgrades and that the gear can support such upgrades, so that security patches can be deployed as they become available.

• Fully understand the impact of deploying any security feature or product prior to deployment.

• Enable all security features on all WLAN gear, including the cryptographic authentication and WEP privacy features.

• Ensure that encryption key sizes are at least 128-bits (or as large as possible considering the capabilities of the wireless components).

• Secure all access points (APs) by:

  • Changing the default WEP encryption key that comes with the access point provided by the vendor.

  • Changing the default vendor-set SSID for the APs.

  • Disabling the "broadcast SSID" feature on all APs, so that the client's SSID must match that of the AP.

  • Validating that the SSID character string does not reflect the organization's name (division, department, street, etc.) or products.

  • Understanding all default parameters and ensuring that all have been changed.

  • Disabling all nonessential management protocols on the APs.

  • Changing the default AP administrative password and ensuring that all APs have strong administrative passwords.

  • Enabling user authentication mechanisms for the management interfaces of the APs.

  • Ensuring adequately robust community strings are used for SNMP management traffic on the APs.

  • Configuring SNMP settings on all APs for the least privilege (i.e. read only). Disable SNMP if it is not used.

  • Forbidding the installation of APs without the consent and oversight of the network manager.

  • Positioning AP on the interior of buildings, if possible, versus locations near exterior walls and windows.

  • Empirically testing AP range boundaries to determine the precise extent of the wireless coverage and then positioning all APs so that their signals are less likely to leak outside the intended coverage area.

  • Placing APs in secured areas to prevent unauthorized physical access and user manipulation.

  • Ensuring the APs are turned off when not in use, e.g. weekends, holidays and even overnight if the workday approximates a nine to five shift.

  • Ensuring AP channels are at least five channels different from any other nearby wireless networks to prevent interference.

  • Ensuring that the APs' reset function is used only when needed and invoked by authorized personnel.

  • Ensuring that APs are restored to the latest security settings when the reset function is used.

• Secure all wireless computing devices by:

  • Changing the default vendor-set SSID on all devices.

  • Installing antivirus software on all devices.

  • Installing personal firewall software on all devices.

  • Ensuring that the "ad hoc mode" is disabled unless the environment is such that the risk is tolerable.

• Choose NICs that support password-protection of attribute changes to prevent the setting of the NICs from being changed by end-users.

• Ensure that default shared keys are periodically replaced by more secure unique keys.

• Deploy MAC access control lists.

• Use static IP addressing on the network.

• Disable DHCP (Dynamic Host Configuration Protocol).

• Ensure that management traffic destined for APs is on a dedicated wired subnet.

• Use a local serial port interface for AP configuration, to minimize the exposure of sensitive management information.

• Since WLANs can be exposed to viruses and worms when end users download data from a website, implement real-time anti-virus scanning at the network gateway and ensure that it is applied at all WLAN access points to prevent infection and rapid spread of content-based attacks.

• Ensure end-users are fully trained in computer security awareness and risks associated with wireless technology.

• Stay current.

  • Evaluate and adopt the most powerful wireless standards, when pertinent, as soon as they become available.

  • Fully test and deploy software patches and upgrades on a regular basis.

  • Designate an individual to track the progress of 802.11 security products and standards (IETF, IEEE, Wi-Fi Alliance, etc.), and the threats and vulnerabilities relating to the technology.

• Perform comprehensive security assessments at regular intervals, including validation that rogue APs are not operating within the organization's facilities.

• Determine corporate-wide procedures for network authentication. Include user-based authentication, rather than device-based (so that an intruder can't gain network access by stealing or simulating a wireless device), as well as centralized management of authentication (i.e. authentication credentials are stored in a central repository and don't have to be distributed to every access point).

• Install a properly configured firewall between the wired infrastructure and the wireless network (AP or hub to APs).

Now let's take a closer look at some of the aforementioned security measures. There is no excuse not to implement the measures set out below, as they are easy to implement. When used in tandem they can help to ensure a WLAN's protection.

WEP (Wired Equivalent Privacy) refers to scrambling communications between a computing device and an AP, using a symmetrical encryption technique called RC4 on the Data Link Layer. In an attempt to provide a more secure transmission mode, Wi-Fi equipment manufacturers cooperated in the development and adoption of the encryption standard called Wired Equivalent Privacy (WEP). Almost every vendor supports WEP in some way or the other. When used correctly, WEP can prevent casual eavesdropping and unauthorized access. While WEP offers 40, 128, 152 and 512-bit encryption strengths, it also suffers from a number of drawbacks. All users have the same encryption key, so when one key is compromised the entire network is jeopardized. Many early APs and NICs only support 40-bit encryption, but newer gear supports 128-bit and greater WEP encryption. But the original 40-bit encoding key used by WEP can be broken in just a few minutes by a hacker using freeware such as AirSnort (see http://airsnort.shmoo.com), and the more powerful 128-bit WEP keys can be broken in a few days.

Here is another note of caution about WEP: its shared key system is often considered a management nightmare because the network administrator is responsible for distributing passphrases, hex keys, or ASCII strings that represent the encryption key. If the key is leaked, things can get messy very quickly. Not only is the data compromised, but the procedure for changing keys varies from vendor to vendor. Disseminating a new key, while not complicated, can be difficult.

Service Set Identifier (SSID) can be vulnerable. (A SSID is an ASCII string configured by network administrators into all access points and wireless stations that share a common WLAN.) Since a SSID is a relatively simple password that is common to all devices on the WLAN, it is easy to compromise. Furthermore, since the default setting of SSID is more times than not left unchanged for long periods of time, and since APs are typically configured to broadcast their SSID in the open, an intruder can easily obtain the network's SSID by using readily available tools.

PCs and laptops only respond to a network tied to their particular SSID, but SSIDs are not only transmitted, they're sent unencrypted. This issue stems from the 802.11b specification. For example, according to the SecureNet Service (SNS) security advisory at www.lac.co.jp/security/english/snsadv_e/60_e.html, Windows XP on a PC maintains a list of all the access points to which it has ever connected. If, say, a laptop boots up and it's out of range of any access point, it searches for available access points by continuously broadcasting inquiries, each of which contains the SSID of every AP it has ever encountered. Therefore, it is possible to "sniff out" these SSID values assigned to registered access points by using a packet monitoring tool for wireless LANs.

The advisory further states: "sending out packets encrypted with WEP is not a recommended security practice in an environment where the original access points are not available."

Later we'll see how to handle Wi-Fi security issues through the use not only of VPNs, but also of WPA (Wi-Fi Protected Access), which is a new interim solution for link-layer security that is based on the work-in-progress at the IEEE 802.11i Task Group.

MAC address filtering is a useful security measure for small WLANs, but it's not for large installations. Every wireless NIC has a unique MAC address, a 12 digit hexadecimal number that is unique to each and every NIC in the world. And since each NIC has its own MAC address, if you limit access to WLAN APs just to authorized MAC addresses, you can control who should and should not be accessing the network.

But while MAC address filtering is a good idea for small networks, it presents problems for larger WLAN installations. The first is the management aspect—to implement MAC address filtering, the WLAN manager must keep a database of every MAC address allowed to access the network. This database must be kept either on each AP individually, or on a special RADIUS server that each AP can access. Any time a device is added, lost, stolen, or changed in any way, the network manager must update the list. If the WLAN serves a small user-base, MAC address filtering is a viable security measure. In an enterprise network, however, it's not a practical solution because it would necessitate a full time employee just to keep up with database changes. Second, MAC address filtering complicates support for roaming between different APs.

Before implementing this security measure, know that (1) MAC addresses can be spoofed, and (2) filtering merely verifies the identity of the NIC, not the identity of the computing device or the person using the computer.

While we have laid out the outline of a comprehensive network security plan, so far we have only discussed in detail minimal security measures. Let's now up the ante.