Wireless LAN

Layer Network
__________________________________________________________________________________________

B 4.6
B 4.6 Wireless LAN
Description
Wireless LANs (WLANs) offer the ability to build a new
wireless local network or expand an existing wire-bound
network at low cost and with minimal effort. WLAN in
this case refers to wireless networks based on the group
of standards referred to as IEEE 802.11 specified by the
Institute of Electrical and Electronics Engineers (IEEE).
Due to their simple installation, WLANs are also used to
install temporary networks, for example network at trade
fairs or small events. Furthermore, it is also possible to
offer network access in public spaces such as airports or train stations through hotspots. This enables
the mobile users to connect to the Internet or to their company network. Communication generally
takes place between a central point of access, the access point, and the WLAN component of the
mobile end device (i.e. over a WLAN USB stick or a corresponding WLAN network card).
Most of the WLAN components currently available on the market are based on the 802.11g extension
passed in 2003 by the IEEE which defines a transmission rate of up to 54 Mbit/s. Furthermore, some
systems only support the IEEE 802.11b extension and can only achieve rates up to 11 Mbit/s. Both
extensions operated in the unlicensed 2.4 GHz frequency band.
The security mechanisms are defined in the IEEE 802.11 standard and in the IEEE 802.11i
amendment. In the original 802.11 standard, Wired Equivalent Privacy (WEP) is defined as the
security mechanism, but WEP cannot be considered adequately secure any more due to several
weaknesses. For this reason, the WiFi Alliance, an alliance of manufacturers, developed the Wi-Fi
Protected Access (WPA) security mechanism. WPA introduced dynamic key management using TKIP
in addition to extending the static key, referred to as pre-shared keys. These mechanisms were
integrated for the most part in the official IEEE 802.11i extension released in 2004, although 802.11i,
like WPA2 as well, uses the Advanced Encryption Standard (AES) for encryption instead of RC4 as in
WEP and WPA. Furthermore, the Counter Mode with CBC-MAC Protocol (CCMP) is defined in
IEEE 802.11i as the implementation method for AES for the purpose of encryption and to check
integrity. The use of this method is acceptable over the long term, but requires new hardware, in
contrast to the TKIP version. The 802.11i extension defines the Extensible Authentication Protocol
(EAP) according to the IEEE 802.1X standard as the authentication method. Additional technical
information on the secure use of WLANs can be found in the Secure WLAN technical guideline from
the BSI.
This module illustrates a systematic method for creating a concept for WLAN usage in an organisation
and how its implementation and integration can be ensured.
Threat Scenarios
The following typical threats to the IT-Grundschutz of WLAN usage are assumed to exist:
Force majeure:
- T 1.17 Failure or malfunction of a wireless network
Organisational shortcomings:
- T 2.1 Lack of, or insufficient, rules
- T 2.2 Insufficient knowledge of rules and procedures
- T 2.4 Insufficient monitoring of IT security safeguards
- T 2.117 Lack of, or inadequate, planning of the use of WLAN
__________________________________________________________________________________________
IT-Grundschutz Catalogues: New 1
Layer Network
__________________________________________________________________________________________

B 4.6
- T 2.118 Inadequate regulations for the use of WLAN
- T 2.119 Inappropriate selection of WLAN authentication methods
- T 2.120 Inappropriate siting of security relevant IT-systems
- T 2.121 Inadequate monitoring of WLANs
Human error:
- T 3.3 Non-compliance with IT security safeguards
- T 3.9 Improper IT system administration
- T 3.38 Errors in configuration and operation
- T 3.43 Inappropriate handling of passwords
- T 3.84 Incorrect configuration of WLAN infrastructure
Technical failure:
- T 4.60 Uncontrolled radiowave propagation
- T 4.61 Unreliable or missing WLAN security mechanisms
Deliberate acts:
- T 5.71 Loss of confidentiality of classified information
- T 5.137 Analysis of connection data relating to wireless communication
- T 5.138 Attacks on WLAN components
- T 5.139 Tapping of WLAN communication
Recommended safeguards
To secure the IT systems examined, other modules in addition to these modules will need to be
implemented. These modules are selected based on the results of the IT-Grundschutz modelling
process.
A series of security safeguards must be implemented when using WLAN, starting in the conception
phase and continuing through the purchasing phase to the operation phase. The steps to take to
accomplish this as well as the safeguards to consider in each of the steps are listed in the following.
Planning and design
The securing of a WLAN begins already in the planning phase. A foundation for a secure WLAN can
only be created through a well thought out strategy (see S 2.381 Determining a strategy for the use of
WLAN) and the selection of the correct WLAN standards, and therefore of the corresponding
cryptographic method (see S 2.383 Selection of a suitable WLAN standard and S 2.384 Selection of
suitable crypto-methods for WLAN). The safeguard S 3.58 Introduction to WLAN basics will help you
become familiar with the terminology used when describing how to secure a WLAN.
All decisions made relating to security settings, the WLAN standards selected, as well as the rules for
the use and administration of the WLAN are to be written down in a WLAN security policy (see
S 2.382 Drawing up a security policy for the use of WLAN).
Procurement
When selecting the WLAN components, safeguard S 2.385 Selection of suitable WLAN components
must be applied. The standards, protocols, and security mechanisms used in WLANs are subject to
rapid development, which is why WLANs are often in the middle of a migration.
Safeguard S 2.386 Careful planning of necessary WLAN migration steps must be taken into account
for the migration phases of individual WLAN components or entire sections of the WLAN.
__________________________________________________________________________________________
Layer Network
__________________________________________________________________________________________

B 4.6
Implementation
Once all components have been purchased and it is time to set up the WLAN, the locations where the
access points will be installed (see S 1.63 Appropriate location of access points) and how the WLAN
will connect to any cable-bound infrastructure already existing (see S 5.139 Secure WLAN-LAN
connection, S 5.140 Setting up a distribution system) become important. However, configuration of
the various WLAN components such as the access points (see S 4.294 Secure configuration of access
points) and WLAN clients (see S 4.295 Secure configuration of WLAN clients) during installation
must always be performed according to the security policy and the specified strategy.
In all cases, the users and administrators of the WLAN must receive adequate training to minimize the
number of security incidents and to point out and sensitise them to the possible threats of improper
WLAN usage (see S 3.59 Training on the secure use of WLAN).
If the WLAN will be installed, configured, or supported by an external service provider, then
safeguard S 2.387 Installation, configuration, and support service for a WLAN by third party must be
applied in all cases.
Operation
If the WLAN is put into operation and all WLAN users have received adequate training, then audits
must be performed regularly (see S 4.298 Regular audits of WLAN components) to ensure that all
security settings made are still useful. Regular security checks must also be performed (see S 5.141
Regular security checks of WLANs) to ensure these settings are also having the desired affect.
Furthermore, the secure operation of all WLAN components must be guaranteed (see S 4.297 Secure
operation of WLAN components).
It is essential to use key management to handle the cryptographic keys used in the WLAN to secure
communications (see S 2.388 Appropriate key management for WLAN). A WLAN management
solution can simplify the administration of the keys and allow the WLAN to be administered centrally
(see S 4.296 Use of a suitable management solution for WLAN).
Disposal
When WLAN components are taken out of operation, the corresponding configuration settings such as
the network name or SSID must be reset back to their default values, and any access information or
information stored on the WLAN component to secure the network traffic on the WLAN must be
deleted (see S 2.390 Withdrawal from operation of WLAN components).
Contingency planning
If attacks on a WLAN are detected, then both the users as well as the administrators of the WLAN
must know how to respond in such situations (see S 6.102 Procedures in the event of WLAN security
incidents). This results in the need for a contingency plan containing the necessary steps to take and a
list of which persons to inform when a security incident occurs. Furthermore, it may be necessary to
set up a redundant WLAN to provide a fast replacement for important communication links. When a
redundant WLAN is used, it must always be ensured that the redundant WLAN meets the same
security requirements as the normal WLAN. For this reason, all safeguards in these modules must also
be applied to the redundant WLAN since it must be viewed as a separate WLAN. General information
on redundant communication links can be found in safeguard S 6.75 Redundant communication links.
In order to be able to use a WLAN securely, the clients linked to it must be configured securely and
maintained and administered regularly. Suitable IT security recommendations for clients are described
in the corresponding modules of the IT-Grundschutz Catalogues.
In the following, the bundle of security safeguards for WLAN usage are presented.
__________________________________________________________________________________________
Layer Network
__________________________________________________________________________________________

__________________________________________________________________________________________
B 4.6
Planning and design
- S 2.381 (A) Determining a strategy for the use of WLAN
- S 2.382 (A) Drawing up a security policy for the use of WLAN
- S 2.383 (A) Selection of a suitable WLAN standard
- S 2.384 (A) Selection of suitable crypto-methods for WLAN
- S 3.58 (A) Introduction to WLAN basics
- S 4.293 (A) Secure operation of hotspots
- S 5.138 (A) Usage of RADIUS servers
Procurement
- S 2.385 (A) Selection of suitable WLAN components
- S 2.386 (A) Careful planning of necessary WLAN migration steps
Implementation
- S 1.63 (B) Appropriate location of access points
- S 2.387 (A) Installation, configuration, and support service for a WLAN by third party
- S 3.59 (C) Training on the secure use of WLAN
- S 4.294 (A) Secure configuration of access points
- S 4.295 (A) Secure configuration of WLAN clients
- S 5.139 (A) Secure WLAN-LAN connection
- S 5.140 (C) Setting up a distribution system
Operation
- S 2.388 (B) Appropriate key management for WLAN
- S 2.389 (A) Secure use of hotspots
- S 4.296 (C) Use of a suitable management solution for WLAN
- S 4.297 (A) Secure operation of WLAN components
- S 4.298 (B) Regular audits of WLAN components
- S 5.141 (B) Regular security checks of WLANs
Disposal
- S 2.390 (C) Withdrawal from operation of WLAN components
Contingency planning
- S 6.75 (A) Redundant communication links
- S 6.102 (A) Procedures in the event of WLAN security incidents
Threats Catalogue Force majeure Comments
____________________________________________________________________
..........................................
T 1.17
T 1.17 Failure or malfunction of a wireless network
In wireless networks, information is transmitted using electromagnetic radio
waves. If there are other electromagnetic sources radiating energy in the same
frequency spectrum, these emissions could disrupt wireless communication
and, in extreme cases, prevent the operation of the WLAN. This can occur
unintentionally due to other technical systems (e.g. Bluetooth devices, other
WLANs, microwave ovens, medical equipment, wireless security cameras,
etc.), or deliberately by operating a source of interference (jammer) in a
denial-of-service (DoS) attack. Furthermore, denial-of-service attacks can also
be carried out, for example, by repeatedly sending certain control and
management signals, which can then lead to the loss of availability of the
wireless network.
Examples:
- Due to the selection of an unsuitable installation location for an outside
antenna and poorly planned lightening and weather protection, a WLAN
could fail as the result of lightening or weathering.
- In WLAN systems operating according to the IEEE 802.11b and IEEE
802.11g standards in the ISM band at 2.4 GHz, interference can be
generated by a number of other wireless systems permitted to operate in
this frequency band, e.g. Bluetooth devices, microwave ovens, or other
WLAN networks.
____________________________________________________________________
..........................................
Threats Catalogue Organisational shortcomings Comments
____________________________________________________________________
..........................................
T 2.1
T 2.1 Lack of, or insufficient, rules
The application of universal organisational rules and specifications for IT
security objectives become more and more important as the scale of
information processing and the protection requirements for the information to
be processed increase.
The scope of the rules can be very wide, ranging from questions of areas of
responsibility to the distribution of control functions. The consequences of
insufficient or non-existent rules are described in T 2.2 ff.
It is often the case that the existing rules are not modified accordingly after
technical, organisational or personnel changes having a significant impact on
IT security have been made. Outdated rules can impede smooth IT operations.
Problems can also arise from rules that are formulated incomprehensibly or
without any context, resulting in misunderstood rules.
The following examples clearly illustrate the potentially damaging effects of
insufficient rules:
- Poor resource management can seriously impair the scheduled flow of
operations in a computer centre, for example simply because an order for
printer paper was forgotten.
- Hand-held fire extinguishers need to be maintained regularly after purchase
so that they are ready for use in case of fire.
- After a flood on one floor, water damage was detected in the Server room
one floor below as well. Due to inadequate key management, the damage
caused by the water in the Server room could not be repaired immediately
because no one knew where the key to the Server room was at the time.
This resulted in significantly more water damage.
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
T 2.2
T 2.2 Insufficient knowledge of rules and procedures
The specification of rules alone is not enough to ensure trouble-free IT
operations. All employees, especially the office managers, must be familiar
with the applicable rules. The damage that can result from inadequate
knowledge of the existing rules cannot be excused simply by saying "I didnt
know I was responsible for that." or "I didnt know what to do."
Examples:
- If the employees are not informed of the procedures for handling the data
media and e-mails received, then there is a danger that a computer virus
could spread throughout the entire company or government agency.
- In a federal agency, different colour waste paper bins were used with one
colour bin intended for the disposal of the documents to be destroyed. Most
of the employees were not informed of this colour scheme.
- In a federal agency, there were a number of rules for performing data
backups which were agreed to verbally over time by the IT Security
Officer and the IT department. Upon enquiry, it turned out that the affected
IT users knew nothing about the "agreements" and had no one to contact in
case of questions. The rules regarding data backups were not documented
either. As a result, many users made backups of the local data on their
workstation computers even though continuous data backups were only
supposed to performed centrally on the servers.
- In a computer centre, a new rule was introduced stating that in the event of
problems with the burglar detection or fire alarm systems, the gatehouse
should be manned at night as well. The security guard service was not
informed of this new rule by the security officer responsible for this. As a
result, the computer centre was insufficiently protected at night for several
weeks.
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
T 2.4
T 2.4 Insufficient monitoring of IT security safeguards
After safeguards are introduced to help achieve IT security (e.g. data backups,
access control, rules regarding conduct during emergencies), these safeguards
also must be implemented consistently. If the IT security safeguards are not
monitored or monitoring is inadequate, then it is impossible to determine if the
security safeguards are being followed or are proving effective. This impedes
the ability to respond quickly and appropriately to the situation.
In addition, there are some security safeguards whose effectiveness can only
unfold when appropriate controls are implemented. These include, for
example, logging functions whose security properties only become apparent
when the log data is analysed.
Examples:
- When preparing to commit a crime, the lock cylinders in the outside doors
and gates are often replaced by unauthorized persons. Access routes that
are seldom used or are only intended for use as emergency exits are often
only checked to ensure that they open freely. The function of the lock
cylinder is often not tested.
- In a government office, some of the UNIX servers are used for external
data communications. Due to the primary importance of these IT systems,
the IT security policy specifies that the integrity of all UNIX servers must
be checked weekly. Since these checks were not performed regularly, it
only became apparent during the investigation of a security incident that
the IT department was not performing the integrity checks. The reason
provided for not performing the checks was insufficient personnel in the
department.
- In one company, the z/OS Security Auditor position was not filled and left
unoccupied. As a result, the RACF configuration settings gradually
stopped meeting the security requirements of the company over time. Only
after a production failure did the company notice that some users had more
permissions than required for their job. One of these users accidentally
stopped an application that was important to production.
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
T 2.117
T 2.117 Lack of, or inadequate, planning of the use of
WLAN
A WLAN must be carefully planned and installed so that any existing security
gaps cannot adversely affect every IT system connected to the WLAN. When
care is not taken, the result could even be the compromising of the
government agency or company network connected to the inadequately
secured WLAN. Security gaps can also result when the security mechanisms
between the LAN and WLAN are not properly configured, for example due to
inadequate planning when separating the users into user groups.
A number of problems can arise from a lack of, or inadequate, planning of
WLAN usage, for example the following:
- It may be possible for third parties to read sensitive data if no or only
inadequate security safeguards are implemented in the WLAN.
- The performance of a wireless network could be reduced by other WLAN
installations or wireless systems not taken into account when the signals
they emit extend into the useable range of the wireless network.
- If, when planning a WLAN, the blocking of the signals by the building
itself or by absorbent construction materials (for example steel cabinets,
plumbing units, supply lines, steel-reinforced concrete constructions) are
not taken into account, then the performance of the WLAN may also be
reduced in this case as well.
- Common-channel interference from a neighbouring wireless cell of the
WLAN can also often cause interference in the WLAN. As a result of this,
the signals from two users of neighbouring cells may interfere with each
other since their radio waves will become superimposed in the room and
cause interference.
- The performance of a WLAN can be severely affected by dead zones.
When inadequately planned, the transmission power of the WLAN
transmitter is usually simply increased to prevent dead zones. This may
mean that the WLAN emits signals into areas in which it is not needed and
in which they can be intercepted under certain circumstances.
- One effect of poor planning may be, for example, inadequate transmission
capacity, which may then limit or even prevent the use of high-bandwidth
applications.
An additional threat to the LAN is posed when there is only one inadequately
protected connection between the access points or distribution system and the
cable-bound infrastructure. If there is no physical or logical protection at the
level of the distribution system, then the entire broadcast domain in which an
access point is located can be listened in on after compromising the protection
of the wireless interface or security settings of the access point. The
information obtained could then be used in an attack on the entire LAN.
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
T 2.117
Example:
If the filter rules are too loosely specified for the security gateway on the
transfer point located between the distribution system and the LAN, then an
attacker could tunnel into this transfer point using a man-in-the-middle attack
by cleverly manipulating the communication data and therefore gain access to
the internal LAN infrastructure. A prerequisite for this type of attack is that
either the security mechanisms on the wireless interface are compromised or
direct access to the distribution system is available. In addition, vulnerabilities
at the operating system level can also be used for tunnelling purposes when
the systems of the transfer point were not adequately hardened.
____________________________________________________________________
..........................................
T 2.118
T 2.118 Inadequate regulations for the use of WLAN
In general, no security mechanisms are enabled in the default settings of
access points. When WLAN components which are insecure due to a lack of
specifications are put into operation in a production environment, they pose a
serious threat to the WLAN and the IT systems connected to them. This type
of threat is comparable to the threat posed by an insecure Internet connection.
When an employee connects an unauthorised or insecure access point to an
internal network of an organisation due to a lack of rules regulating WLAN
usage, the employee practically undermines all security safeguards
implemented in the LAN used to protect against unauthorised external access
from the Internet, for example the firewall.
Unclear responsibilities
If the responsibilities are not clearly stated, the result may be faulty
configuration of the WLAN components due to a lack of rules regulating the
administration of the WLAN infrastructure, for example. When there are no
specifications for configuration management, then it only takes one access
point or one WLAN client not configured according to the specified default
profile to compromise the entire network of the organisation.
When the various responsibilities are not adequately coordinated in an
organisation or with external service providers, problems will always result in
actual practice. In terms of the WLAN, threats are posed in particular when
different groups are responsible for supporting the physical (passive)
infrastructure, the active network technology, and the security systems; these
groups are located far away from each other organisationally; and these groups
are only coordinated by a correspondingly higher management level.
Problems can also arise when there are no uniform rules defined for
documenting system changes, for example when exchanging WLAN
components, changing configurations, or replacing the WLAN key
information.
No rules regulating monitoring
If there are no specifications available for the monitoring of the WLAN
infrastructure and the corresponding financial and personnel resources are not
provided, then attacks on the WLAN may not be detected in time. The
following could be the result, for example:
- Without regular checks, the connection of external access points (including
private access points) to the distribution system or directly to the LAN may
go unnoticed.
- If the WLAN logs are not analysed regularly, security incidents will not be
detected in time. For example, a sudden increase in the number of
unsuccessful login attempts on the access point may indicate an attempt to
attack the WLAN.
If urgently needed updates of the virus protection software or security-related
patches are not installed in time, then WLAN components may become
compromised. WLAN components with direct access to the Internet or which
are used in public WLANs are especially at risk. Depending on the type of
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
T 2.118
malware, the next connection to the home WLAN could lead to the
compromising of the entire WLAN infrastructure and beyond.
A lack of rules regulating reactions to security incidents in the WLAN
If no consideration is given to how to react in an emergency to security
incidents when operating a WLAN, then it may take a long time until security
problems are detected and eliminated. In the meantime, though, there may
have been attacks by worms, or data may have even been stolen. Even when
an attack is noticed, the appropriate countermeasures may not be implemented
in time (within minutes) when there are no safeguard catalogues (which must
be prepared accordingly), controlled procedures, or authorisations necessary
for intervention available.
Example:
- One company published the information for accessing an internal WLAN
in the Internet to simplify access for mobile employees when on the road.
Anybody knowing this information is therefore able to provide
authentication when logging in to the WLAN and could eventually gain
access to data requiring protection. Although the WLAN itself only
contained information with a low protection requirement, access to the
production systems could be obtained by connecting to a LAN. The data
available here, for example secret design drawings of a prototype, were
made public in part in the Internet. Other data was passed on to a
competitor. The competitor therefore could have been able to determine
what new developments were in planning and react quickly with its own,
corresponding development. Luckily, the competitor informed the police of
the matter.
____________________________________________________________________
..........................................
T 2.119
T 2.119 Inappropriate selection of WLAN authentication
methods
The selection of the authentication methods to be used must be based on the
protection requirements of the data to be transported in the WLAN. Note that
WEP must be considered insecure and offers a number of possibilities for
attack, for example the ability to extract the keys from the data packets. These
could then be used to successfully gain access to the WLAN.
If the key material used for authentication or encryption in the WLAN is not
distributed with care or stored securely enough, then any methods based on
these keys which is used to attain a certain security level may eventually be
completely worthless. Passwords which are too simple and inadequately
protected certificates can provide any attacker with valid access to a WLAN.
In a WLAN secured using WPA, the pre-shared keys represent a security
vulnerability if they are selected inappropriately, i.e. when they are not
complicated enough.
There are also EAP methods, though, that pose a threat due to a number of
vulnerabilities. For example, CHAP, which requires both sides to know the
unencrypted password, among other items, is used as the authentication
method in EAP-MD5. Furthermore, EAP-MD5 does not support the
generation of keys and therefore cannot be used directly in conjunction with
IEEE 802.11i.
The problem with EAP-PEAP from a cryptographic point of view is that
PEAP only checks the identity of the server but not of the client to secure the
outside tunnel.
Some implementations of the EAP method also contain vulnerabilities. For
example, the proprietary EAP-LEAP from Cisco is susceptible to dictionary
attacks, and there are already tools available that utilise precisely this
vulnerability and even make strong passwords ineffective.
Likewise, another disadvantage of EAP-LEAP is that it must be supported
explicitly by all WLAN components and that there is no interoperability
between EAP-LEAP and other EAP methods available, contrary to the
requirements in IEEE 802.1X.
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
T 2.120
T 2.120 Inappropriate siting of security relevant IT-
systems
If security-related IT systems on which authentication data is stored are
installed in easily accessible locations, the result can be a severe threat to the
overall security of a network. Security-related IT systems include, for
example, security gateways, directory servers providing a directory service for
user identification data, and IT systems on which authentication data is stored.
Unsuitable locations for their installation include, for example, public meeting
rooms, hallways, and normal offices. Even small network switching elements
which are relevant to security in spite of their size such as routers, switches,
and access points must not be placed in insecure, open spaces. Access points,
for example, should not be installed unprotected directly under the ceiling
since this would enable easy physical access, which could then very easily be
used to read the access information for the corresponding WLAN. When
direct access to security-related IT systems is possible, the result may be that
other security mechanisms have also been disabled as well.
Example:
An access point was installed in a public meeting room to enable wireless
access to the Internet. Access points are worth some money and may be
tempting to a thief. During a meeting, it was noticed that this access point was
not available any more, and it turned out that it had been stolen several weeks
earlier. Since an access point generally contains important information for
accessing the WLAN, a thief would be able to obtain information for further
compromising of the network without being noticed or detected. Additional
information, for example important certificates for authentication on the
WLAN, was also stolen together with the access point. The network was
susceptible to attack until it was blocked and changed.
Unfavourable environmental conditions (e.g. vibrations, inadequate climatic
conditions, or large amounts of dust) can cause damage to security-related IT
systems as well.
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
T 2.121
T 2.121 Inadequate monitoring of WLANs
A WLAN is a potential target of attacks, either to use the network without
authorisation or to disrupt its availability (DoS attacks). This could lead to the
compromising the infrastructure connected to the WLAN. If the WLAN is not
monitored adequately, then most attacks will not be detected at all or, when
detected, then too late.
Incorrectly configured intrusion detection systems
If the communication patterns in the WLAN are not taken into account when
planning an intrusion detection system, then this leads either to the inability of
the intrusion detection system to detect attacks or to the triggering of an alarm
by authorised communication.
An acute threat can also arise when logging IDS-relevant events:
- If too much information is logged or the information is stored too long,
then there is a danger that the databases of the intrusion detection system
will overflow.
- If not enough or the wrong data is recorded when logging, then an attack
may not be detected, and no reasonable post-mortem analysis can be
performed.
Unauthorised use of the WLANs
If authentication mechanisms are implemented to access a WLAN which are
not strong enough, then an attacker could access the Internet, for example,
over a WLAN installation. This would reduce the available bandwidth and
lengthen the response times for authorised WLAN users. Likewise, the
Internet access obtained in this manner could be used for the following:
- Attack other systems in the Internet
- Distribute spam e-mails
- Download illegal content from the Internet
- Use peer-to-peer exchange services on the Internet
No evaluation of the log files
When attackers attempt to log in to a WLAN, they must first overcome the
authentication procedure. If they use dictionary or brute-force methods in an
attack, then error messages will be produced by the authentication
components, which they then record in their log files. If these log files are not
evaluated regularly, then such attacks cannot be detected and corresponding
countermeasures cannot be taken. If, in addition, successful logins are not
checked for validity, then attackers could use the WLAN unnoticed using
valid access information obtained through eavesdropping, possibly even when
the employees are not there.

____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
T 2.121
Example:
The employee Mr. Miller is on holiday for three weeks. During this time, his
access information for the WLAN is successfully decrypted by an attacker.
The attacker can now connect successfully and without being noticed to the
WLAN of the organisation with this information and gain access to all areas
which the employee is authorised to access. As a result of this, even sensitive
data could be obtained without permission. If the log files of the
authentication server had been analysed regularly, the administrators would
have noticed that Mr. Miller is not even present, and therefore cannot connect
to the WLAN. Furthermore, blocking the WLAN account of Mr. Miller during
his holiday could have prevented this attack.
Threats Catalogue Human failure Comments
____________________________________________________________________
..........................................
T 3.3
T 3.3 Non-compliance with IT security safeguards
It is a relatively common occurrence that, due to negligence and insufficient
checks, people fail to implement the IT security safeguards, either completely
or in part, that have been recommended to them or that they are required to
implement. This can cause damage which otherwise could have been
prevented or minimised at the least. Depending on the function of the person
in question and the importance of the safeguard ignored, the resulting damage
could even be very serious.
IT security safeguards are frequently disregarded due to the lack of security
awareness. A typical sign of this is the ignoring of recurring error messages
after a certain period after the users become accustomed to the error messages.
Examples:
- Storing diskettes or other information media in a locked desk does not
adequately protect them against unauthorised access when the key is kept
in the same office, e.g. on top of a cupboard or inside a card index.
- Passwords are written on a piece of paper and stored near a terminal or a
PC.
- Although it is widely known that the purpose of data backups is to
minimise potential damage, it is still common for damage to be caused by
the unintended deletion of data that subsequently could not be restored due
to inadequate backups. This is indicated in particular by the cases of
damage caused, for example, by computer viruses reported to the BSI.
- Entry to a computer centre is only supposed to be possible through a door
protected by an access control system (e.g. using a magnetic strip card
reader, chip card reader, or biometric procedures). However, the
emergency exit door is used as an additional entrance and exit even though
it is only supposed to be opened in an emergency.
- In a z/OS system, batch jobs were run on a daily basis to back up the
RACF database. The correct execution of these procedures was required to
be checked daily by the responsible administrators. However, since the
backups ran for several months without any problems, no one checked the
backup procedure any more. Only after the RACF databases of the
production system malfunctioned and they wanted to restore the databases
using the backups was it established that these batch jobs had not run for
several days. The result was that there were no up-to-date backups
available and the changes made during the last few days had to be entered
subsequently by hand. In addition to the considerable extra administrative
expense, this incident also introduced an uncertainty factor, as it was not
possible for all definitions to be reconstructed verifiably.
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
T 3.9
T 3.9 Improper IT system administration
Improper IT system administration can jeopardise the security of the system if
it results in disregard or circumvention of IT security safeguards.
An example of improper administration is enabling or failing to disable net-
work access points which are not necessary for the regular operation of the IT
system or which constitute a particularly serious threat due to their error-
proneness.
Insecure network access
One common problem is that user accounts are used when working on the
system which have more access rights than are required for the job. This
needlessly increases the risk of damage from viruses and Trojan horses. All
user accounts which are no longer needed must be deactivated.
Unnecessary access
rights
Standard installations of operating systems or system software very rarely
offer all the features of a secure installation. A lack of adaptation to specific
security requirements can pose a substantial risk here. There is a heightened
risk of configuration errors in complex security systems, such as RACF under
z/OS. Many system functions interact with each other.
Poor installation
Particular care is called for with systems which, if incorrectly administrated,
could affect the protection of other systems (e.g. firewalls).
Any modification of security settings and extension of access rights constitute
a potential threat to overall security.
Examples:
- In addition to the dangers outlined in T 3.8 Improper use of the IT system ,
the system administrator can create threats through the incorrect
installation of new or existing software. Examples of incorrect
administration include the non-use of logging facilities or failure to analyse
the available log files, granting access rights too widely and then failing to
review them at certain intervals, issuing log-in names or UIDs more than
once, and not using security tools where these are available, e.g. not using
a shadow file for the passwords under Unix.
Inadequate logging
- The older a password is, the less effective it becomes. This is because of
the perpetually increasing probability of a successful attack.
Ageing of passwords
- The administration of a firewall system requires particular attention as the
protection of many other systems depends on it.
- In a z/OS system the user files were protected by RACF profiles via
universal access in such a way that nobody had unregulated access to them
(UACC = NONE). Due to carelessness on the part of the administrator, an
entry in the conditional access list of the profile allowed READ access to
all IDs (* entry). As a result, despite the definition UACC=NONE, every
user in the system could look at the files via the conditional access list.
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
T 3.38
T 3.38 Errors in configuration and operation
Configuration errors arise when parameters and options with which a program
is started are set incorrectly or incompletely. This includes access rights which
are specified incorrectly. Operational errors are not only incorrect for
individual settings, but IT systems or applications are handled incorrectly. An
example of this is starting programs which are not necessary for the purpose
of the computer but could be misused by a perpetrator.
Examples of current configuration or operation errors are storing passwords
on a PC on which software from the internet is run without being checked
(such software was used in the spring of 98, for example, to spy out T-Online
passwords), or loading and implementing defective ActiveX controls. These
programs, one of whose purposes is to make web sites more attractive through
dynamic contents, are run with the same permissions that the user has, and can
therefore delete, alter or send data at will.
Untested software
Many programs which were intended to relay data in an open environment
without restrictions can, with the wrong configuration settings, provide
potential perpetrators with data that they can misuse. In this way, for example,
the finger service can inform them how long a user has already been sitting at
a computer. Web browsers also transmit a series of information to the web
server (e.g. the version of the browser and the operating system in use, the
name and the internet address of the PC) whenever a query is made. Cookies
should also be mentioned in this context. These are files in which the
operators of web servers store data concerning the web user in the users
computer. This data can be called up when the server is next visited and be
used by the operator of the server to analyse the web pages on the server that
the user has already visited.
Disclosure of
information
The use of a Domain Name System (DNS), which is responsible for
transcribing an internet name such as computer1.university.edu into the
corresponding numeric address, is a further source of danger. On the one
hand, an incorrectly-configured DNS enables you to query a large quantity of
information regarding a local network. On the other hand, perpetrators can
send forged IP numbers by taking over the server, enabling them to control all
the data traffic.
Executable contents in e-mails or HTML pages is another serious threat. This
is referred to as a content security problem. Files that are downloaded from the
internet can contain a code which is executed without consulting the user
when they are just "viewing". This is the case, for example, for macros in
WinWord files and was exploited to produce what are known as macro
viruses. Even new programming languages and programming interfaces, such
as ActiveX, J avaScript or J ava, which were developed for applications on the
internet, also have the potential to cause damage if the control function is used
incorrectly.
Acti ve content
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
T 3.38

In z/OS operating systems, the availability of the RACF security system is of
central importance to the availability of the entire system. This could be
restricted through improper use of z/OS utilities during the backup of the
RACF database or incorrect use of the RACF commands.
Defecti ve RACF
databases
____________________________________________________________________
..........................................
T 3.43
T 3.43 Inappropriate handling of passwords
Even the use of well-though-out authentication methods does not help much
when the users do not handle the necessary access resources carefully. It does
not matter if passwords, PINs, or authentication tokens are used; such items
are disclosed to others or stored insecurely again and again.
Users often give their passwords to other users for reasons of convenience.
Passwords are often shared by the members of work groups to make accessing
the shared files to be processed by the employees easier. Requiring the use of
passwords is often considered to be a hassle, with the result that the passwords
are never changed or that all employees use the same password.
Disclosure of passwords
or tokens
If a token-based procedure is used for user authentication (e.g. chip cards or
one-time password generators), then there is a danger when the token is lost
that the token will be used without authorisation. An unauthorised user may be
able under certain circumstances to successfully establish a remote access
connection using this token.
Loss of an
authentication token
Due to the large number of different passwords and PINs, users are often
unable to remember them all. For this reason, passwords are constantly being
forgotten, which sometimes results in a lot of effort to enable the user to
resume working with the system. Authentication tokens can also become lost.
Even in very secure IT systems, the loss of a password or token can lead to the
loss of all user data.
Too many different
passwords
Passwords are often written down so they are not forgotten. This is not a
problem as long as they are stored carefully and protected against
unauthorised access. Unfortunately, this is not always the case. A classic
example is storing the password on a note under the keyboard or on a label
stuck to the screen. You will also often find authentication tokens under the
keyboard.
Passwords stored under
the keyboard
Another trick used so that passwords are not forgotten is to select a "suitable"
password. If users are permitted to select the same password and are not
adequately sensitised to the problems with this, then trivial passwords such as
"Bob" or the names of friends are selected in many cases.
Passwords that are too
simple
Examples:
- In one company, it was discovered while performing random checks that
many passwords were poorly selected or are changed too infrequently. The
users were then forced technically to change their passwords monthly, and
the passwords were also required to contain numbers or special characters.
It turned out that one administrator selected his passwords as follows:
J anuary98, February98, March98, ...
- In a government agency, it was discovered that users whose offices faced
the street often used the same password: the name of the hotel across the
street, whose large, illuminated letters dominated the view from these
offices.
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
T 3.84
T 3.84 Incorrect configuration of WLAN infrastructure
Access points and other WLAN components offer a number of configuration
settings that also affect the use of security functions in particular. If the wrong
settings are specified on such components, then it may be impossible to
communicate over the access point, or communication may be carried out
without sufficient protection even though the user assumes protection has been
provided. The faulty configuration of WLAN components can cause various
security problems, for example:
- If an access point is not adequately protected against unauthorised access,
then someone may be able to make changes to its configuration, which
then open additional security gaps.
- Availability problems or security gaps can arise due to non-uniform
configuration of the WLAN security mechanisms on the access points.
- If the Internet can be accessed over a WLAN, then anyone who can
connect to the WLAN can also use the Internet without using any
additional filter mechanisms.
- Granting permissions for shared directories or other system resources too
generously on a WLAN client can permit an attacker to access the client
without being noticed.
- If the personal firewall of a WLAN client is not correctly configured or has
been disabled by the user, then the client may be subject to attacks at the
operating system level under certain circumstances. This is especially a
problem in outside environments and hotspots.
Remote support accesses to WLANs always cause security problems when
these accesses are not adequately secured and are used over insecure
networks. If the configuration is incorrect in this case, then this can lead to the
compromising of a WLAN client, for example, and an attacker could then gain
information on how to access the WLAN. This information can then be used
to attack the entire WLAN and eventually any LAN connected to the WLAN.
____________________________________________________________________
..........................................
Threats Catalogue Technical failure Comments
____________________________________________________________________
..........................................
T 4.60
T 4.60 Uncontrolled radiowave propagation
Wireless networks and the radio waves emitted often radiate beyond the limits
of the rooms the networks are used in so that it is possible for data to be
transmitted to areas which cannot be controlled and secured by the users or the
organisation. It is therefore possible to record the data with minimal effort,
and this type of eavesdropping is only detected in a small fraction of all cases.
The goal of such attacks may be to obtain or manipulate sensitive information.
Due to the inadequate protection of many wireless networks, it is often enough
just to record and analyse the wireless communications over a period of time
even if the data is transmitted in encrypted form because the cryptographic
key can be calculated afterwards using the data collected, and the transmitted
data can then be decoded. Furthermore, directional antennas can be used to
receive and capture data from the wireless network outside the limits of the
networks specified range.
Example:
A laptop with a WLAN card, together with a few freely available WLAN
applications, is all that is required to search for poorly secured WLANs. When
wardriving, for example, people drive around a certain region, a city district,
or a typical office environment with a WLAN client and record where and
which WLANs are broadcasting and how poorly secured they are. In this case,
the data can also be linked directly with GPS data to determine the geographic
location of the WLANs found. Afterwards, poorly secured WLANs are
attacked specifically to gain free access to the Internet.
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
T 4.61
T 4.61 Unreliable or missing WLAN security
mechanisms
In their delivered configurations, WLAN components are often configured so
that only a few security mechanisms are activated, or possibly none at all.
Some of these mechanisms are also unreliable and do not offer adequate
protection. Even today, there are various WLAN components in use and
available as new devices on the market that only support inadequate security
mechanisms such as WEP. In some cases, these devices cannot even be
updated to obtain stronger security mechanisms.
If no or only weak mechanisms are available to adequately secure the wireless
interface and the services used over the WLAN, then secure communication is
impossible in the WLAN. This poses additional threats to all components
linked together in the network, including, for example, all data also stored on a
WLAN client or in a LAN, which can adversely affect the entire IT
infrastructure of a government agency or company. In the following, examples
of possible security problems are listed.
WEP
If the wireless communication in the WLAN is not protected at all or only
protected with WEP, then an attacker can easily listen in on all WLAN
communication and often gain possession of confidential information. When
using some devices such as WLAN-enabled printers, users are often unaware
that a WLAN connection is established in this case, and the network is
therefore inadequately secured. An attacker, though, may not only be able to
listen in on the printed data, but may also be able to access components in the
background system through the WLAN components.
SSID Broadcast
When transmitting data between two neighbouring wireless cells, the SSID
(Service Set Identifier or network name) is used to find the next access point.
Some access points offer capabilities for suppressing the transmission of the
SSID in the broadcast mode to hide the WLAN from unauthorised persons
(referred to as a "closed system"). However, WLAN analysers can be used in
this case as well to determine the SSID using other management and control
signals.
Ability to manipulate MAC addresses
Every network card has its own, unique hardware address referred to as the
MAC address (Media Access Control address). The MAC addresses of the
WLAN clients can be easily intercepted and manipulated, meaning the MAC
address filters often built into the access points for the purpose of access
protection can be easily overcome.
No key management
Cryptographic keys must be distributed manually in many WLANs, i.e. in the
same static key must be entered in every WLAN client and access point. This
requires physical access to the components. This type of key management
often leads to the following situation in actual practice:
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
T 4.61
the cryptographic keys are very seldom changed or not changed at all. If a
WLAN key is disclosed, then the entire WLAN is compromised in this case.
Vulnerabilities during administrative accesses to access points
Many access points offer different interfaces and protocols for administration
purposes and permit their use over the LAN interface as well as over the
wireless interface. When administration is performed over the wireless
interface using plain text protocols such as Telnet, HTTP, or SNMP, the
administration passwords transmitted over the WLAN can be intercepted.
Attackers could use this information to reconfigure the access point.
Encrypted versions of the access protocols mentioned are often not supported
or their use is not forced on the access points.
Threats Catalogue Deliberate acts Comments
____________________________________________________________________
..........................................
T 5.71
T 5.71 Loss of confidentiality of classified information
In the case of classified information (such as passwords, person-related data,
certain business-related and official information, research & development
data) there is an inherent danger of the confidentiality of this information
being impaired inadvertently or intentionally. Classified information can be
tapped from various sources, including
- Internal storage media (hard disks)
- External storage media (floppy disks, magnetic tapes)
- Printed paper (hardcopies, files) and
- data communications lines.
There are various ways of actually obtaining the confidential information:
- Reading out data
- Copying data
- Reading of data backups
- Theft of data media for the purpose of evaluation
- Monitoring data transmission lines
- Viewing data on a screen.
The more classified a piece of information, the higher the incentive for third
parties to obtain and misuse it.
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
T 5.137
T 5.137 Analysis of connection data relating to wireless
communication
When using wireless communication, the signals transmitted over the
transmission route cannot be shielded physically against unauthorised
eavesdropping or recording. For this reasons, an attacker could execute his
attack without the access problems common to line-based communication. In
wireless networks using several base stations to support communication in a
large area, for example cellular mobile communication networks, it is also
common to determine the approximate location of the mobile end devices to
ensure they can be accessed quickly. If the devices establish a connection
themselves, then they also provide information on their location in the course
of establishing the connection. This location information can be used by the
network operator or service operator - but also by third parties - to form
movement profiles.
Examples:
- In WLANs based on IEEE 802.11, the hardware address of a WLAN card,
also known as the MAC address, is sent every time data is transmitted.
This means that a clear relationship can be established between the MAC
address of the wireless client and the time and location of the data
transmission.
In this manner, movement profiles can be created for mobile users, for
example when and where the users log in to public hotspots. Since these
MAC address are transmitted in unencrypted form, it is not only possible
for the operators of the hotspots to create movement profiles. In principle,
anyone who installs a wireless LAN component in a suitable public place
can intercept the MAC addresses of other users.
- The wireless communication of Bluetooth connections can be received
passively and recorded with the help of Bluetooth protocol analysers. With
knowledge of the device addresses, synchronisation with the frequency
hopping sequence can even be performed when the devices are in the "non-
discoverable" mode. All layers of the Bluetooth protocol stack can be
viewed and analysed offline. It is also possible to extract and intercept the
transmitted user data (payload) when encryption is not used. Through the
use of a directional antenna and suitable electronics to amplify the
Bluetooth signal received, this type of eavesdropping can also be
performed at an even greater distance than the normal functional range. A
transmission output power control is optional and is not supported by every
Bluetooth device.
The use of the frequency hopping method alone therefore does not
represent a serious obstacle for a well-informed attacker even though it is
often written that this makes it significantly more difficult to log in without
authorisation or receive and listen in on Bluetooth connections. The reason
for using a frequency hopping method is to keep the number of
transmission errors due to interference from the operation of other devices
(e.g. WLANs) using the same frequency band small, and therefore to
ensure a high level of availability.
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
T 5.137

- The unique Bluetooth device addresses can be misused to trace the
individual devices. By tracing the devices, it is possible to create
movement profiles of the users. The device address is not only used to
establish a connection, and each data packet contains part of the device
address of the master (24 of the 48 bits).
____________________________________________________________________
..........................................
T 5.138
T 5.138 Attacks on WLAN components
Security deficiencies in the wireless communication, in individual WLAN
clients, in access points, or in the distribution system can lead to attacks being
successful. In this case, internal data can be read or changed, but WLAN
components can also be manipulated so that they in turn can be used as points
of entry for attacks on other network and network components.
Intentionally interfering with the wireless network
A WLAN can be deliberately disrupted by operating sources of interference,
also referred to as jammers. This can lead to the complete failure of a WLAN
and therefore represents a denial-of-service attack at the physical level. The
source of interference, when it has sufficient transmitting power, can also be
located outside of the area in which the WLAN is used.
Simulating a valid authentication
An attacker could record, analyse, and then resend certain control and
management signals to simulate a valid authentication of a WLAN component
in the WLAN, and therefore obtain unauthorised access to the WLAN.
Simulating a valid access point
A man-in-the-middle attack can be performed by smuggling access points into
a WLAN from the outside (also referred to as "cloning" or an "evil twin"). To
accomplish this, an additional access point can be installed near a client. If this
access point provides the WLAN client with a higher transmitting power than
the real access point, then the client will use it as its base station when mutual
authentication is not enforced. Furthermore, the official access point may be
disabled by a denial-of-service attack. The users then operate in a network that
only pretends to be the target network. This makes it possible for an attacker
to listen in on communications.
Poisoning or spoofing methods can also simulate a false identity for an
attacker or redirect the network traffic to the systems of the attacker, meaning
the attacker can intercept and control communications.
Compromising the distribution system
In addition to connecting an outside access point, it is also possible to
compromise the distribution system by inserting an external hub or switch
between the access point and distribution system, provided that this area is
accessible.
By connecting a protocol analyser, all communication between the access
point and distribution system can be recorded. Furthermore, using
corresponding tools, an active attack on the infrastructure or on a client of the
associated access point can be performed. "Breaking" the WLAN encryption
is not even necessary in this case since data is transmitted completely
unencrypted in the LAN section of the distribution system when no encryption
mechanisms are used at the application level or protocol level, for example
using VPN technologies.
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
T 5.138
Attacks on WLAN clients
When a client connects to a WLAN, there are additional threats to the local
data on the client. On one hand, attacks could be carried out on WLAN
mechanisms, but also on any vulnerabilities of the operating system used. A
client manipulated in this manner can lead to the compromising of the entire
WLAN, and in the worst case, of the entire IT infrastructure of the
organisation.
When data is transmitted in unencrypted form in the WLAN, an attacker can
also easily listen in on communications when the data is easily exploitable, as
is the case with VoIP voice data, for example.
The inadequately planned use of a WLAN client in a wireless network which
is not trustworthy (for example a hotspot or ad-hoc network) entails additional
dangers. Examples of some of these dangers are listed in the following:
- With the help of spoofing tools, an attacker could install tools on the client
of a WLAN user to compromise the network.
- An attacker could examine the vulnerabilities of the network services and
functions on the client and exploit them under some circumstances. This
could then enable the attacker to access the computer if unsuitable
passwords are selected or the personal firewall is not configured properly.
Attacks on access points
Attacks can also be performed over the clients on other WLAN components,
and therefore on the connected network. If there are no security mechanisms
for mobile components and transmission standards or they are poorly
configured, then attackers could exploit this to gain unauthorised access to the
internal network of a government agency or company. Every additional
component integrated into a network creates additional network access points
which are sometimes difficult to control. Every network connection available
has the potential to be misused to eavesdrop on the network.
____________________________________________________________________
..........................................
T 5.139
T 5.139 Tapping of WLAN communication
Since wireless networks are a shared medium, the data transmitted over a
WLAN can be easily recorded. The following information, among other
information, can be gained from the recorded data:
- WLAN parameters such as the SSID, wireless channel used, and
encryption method used
- MAC addresses of the communication partners in the WLAN
Furthermore, the broadcasts and multicasts of all stations in the broadcast
domain on the WLAN, including the stations in the cable-based LAN, can be
monitored provided that these packets are not filtered on the access point. In
spite of the use of encryption, an attacker can still determine the MAC
addresses, and therefore the manufacturers, of all stations in the broadcast
domain as well as the multicast addresses used, and can therefore obtain
information on which Layer 2 protocols are used. When poor encryption is
used, the NETBIOS browser messages, and therefore information on the
server services in the LAN, are directly accessible.
When encryption is not used or only poor encryption is used, the following
information can still be accessed:
- IP addresses of and ports used by the communication partners in the
WLAN
- Possibly the user data transmitted, provided that this data is not protected at
the application level through the use of a VPN, SSL, or some other
encryption mechanism.
____________________________________________________________________
..........................................
Safeguard Catalogue Infrastructure Comments
____________________________________________________________________
..........................................
S 1.63
S 1.63 Appropriate location of access points
Initiation responsibility: Head of IT, IT security management
Implementation responsibility: Internal Services Division, Administrator
Secure mounting of access points
To prevent manipulation to the access points, they should be installed in metal
housings or secured in place with metal brackets which permit mounting on
the wall. Installation in raised floors, intermediate ceilings, or suspended
ceilings and the use of external antennas is possible. Depending on the shape
of the antenna, even a specialist might not be able in this case to determine if
the object is a fire detector or an antenna for an access point.
Spaces and locations in which persons who are not trusted may be present for
a longer period of time without being observed (outdoor areas, stairwells) are
not to be considered as a rule as possible installation locations when the access
points will be visible and their shape is not disguised. However, access points
without routing functionality can be installed in these areas. This prevents
unauthorised persons from reading any detailed information on the structure of
the network, which then reduces the number of possible attack points on the
WLAN and on any LANs connected to it.
For a minimal level of protection, the access point should be securely bolted to
a location inaccessible without additional tools or in a location hidden from
view.
Positioning the access points
The position and direction of an access point has a critical influence on the
transmission quality and throughput of a WLAN. In general, the emission of
radio waves into areas which are not intended to be supplied by the WLAN
should be reduced as much as possible. This not only reduces the number of
possible points of attack, but also improves the level of service to the coverage
area actually desired. Directional antennas, which bundle the electromagnetic
waves radiated in a certain direction and therefore achieve a directionally
dependent amplification effect (referred to as the antenna gain), can be used to
accomplish this. This amplification effect must be adjusted to match the
transmitting power of the access point. Some access points support adjustable
settings for the transmitting power. In this manner, the coverage area will be
illuminated with the necessary signal strength while simultaneously making it
more difficult to access the WLAN from outside this area since only
comparatively poor reception conditions prevail here now. A prerequisite for
this is suitable positioning of the access point and of the antenna, which can be
performed based on a corresponding measurement of the illumination.
When outdoor areas are to be supplied, antenna installations (antennas and
possibly access points) must be suitably protected against the effects of
weather, electrical discharges, and unauthorised access. The installation of
access points outside of buildings should be avoided if possible.
When mounting antennas on the rooftops of buildings, the antennas must be
protected against lightening. The antenna must be correspondingly shorter
than the lightning rod and must be placed far enough away from the lightning
rod.
Protection for outside
antennas
____________________________________________________________________
..........................................
Safeguard Catalogue Infrastructure Comments
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
S 1.63
This also applies to high-voltage power lines, i.e. a certain distance must be
maintained. Antennas installed outdoors which may be subject to hazardous
electrical discharges (this always applies to antennas mounted on rooftops)
should be connected to a special overvoltage protector which quickly detects
and shunts current and voltage spikes. The overvoltage protection is mounted
between the antenna and the access point (usually inside the building or in a
comparably well-protected place) and must be provided with a sufficiently
dimensioned earthing connection. Access points generally should not be
installed in areas which could be subject to electrical discharges.
If in special cases the access points are installed outside of a suitably
climatised building, then it must be ensured that the access points are
adequately protected against moisture, frost, and heat. Outside antennas are to
be suitably protected against snow accumulations. They must be mounted in a
location protected from the wind or, if this is not possible, be mounted tightly
enough so that even high-intensity winds will not change the direction of
antenna.
Additional controls:
- How are the access points protected against unauthorised access?
- Are you sure that the access points only supply the desired coverage area?
Do they supply the coverage area optimally?
Safeguard Catalogue Organisation Comments
____________________________________________________________________
..........................................
S 2.381
S 2.381 Determining a strategy for the use of WLAN
Initiation responsibility: Public agency/company management, Head of
IT, IT security management
Implementation responsibility: Head of IT, IT security management
Before WLANs are used in an organisation, the general strategy taken by the
organisation in terms of WLAN usage must be specified. In particular, it must
be clarified in which organisational units, for which applications, and for what
purpose WLANs will be used as well as which information is permitted to be
communicated in a WLAN. The areas for which the WLANs will be set up
(this could be, for example, environments in which the users often move
through certain areas) as well as the areas in which no WLAN at all is
permitted to be available (extending up to active shielding) should also be
specified.
WLAN components can be used, for example, to
- supply blanket coverage to an organisation, a single department, or a
production area with a wireless network,
- enable the use of mobile components in individual rooms, e.g. in meeting
rooms,
- provide a commercial WLAN for external users (hotspots).
Wireless networks can be set up with or without connections to other
networks, which also has a significant influence on the threat scenario and
therefore on the security safeguards to be taken as well. Depending on the
intended use and environment in which the WLAN is set up, the security
safeguards necessary may differ significantly. This must be considered in all
cases when formulating the security policies and regulations for WLAN
usage. The decisions should be documented together with the reasons for the
decisions.
When setting up a wireless network, a significant amount of planning is
necessary to achieve the stability, transmission quality, and security required
for professional use (see also S 2.383 Selection of a suitable WLAN standard
and S 5.140 Setting up a distribution system).
Those responsible for IT as well as the IT Security Management in an
organisation should be completely aware of the fact that many technical
aspects in wireless communication systems, and especially in WLANs, are
subject to rapid developments and changes. For IT Security Management and
for those responsible for IT, this means on one hand that more expense is
generally required to achieve secure operation of the WLAN, and on the other
hand that the effectiveness of IT security safeguards must be tested more often
than on other systems, and adapted more often to changes.
Expense is high for
secure operation
The following points are important for the secure operation of wireless
networks and the IT systems connected to them:
- The method of operation and technology of the wireless communication
system used must be completely understood by those responsible for its
operation.
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
S 2.381
- The security of the technology used should be evaluated regularly.
Likewise, the security settings of the IT systems used (e.g. access points,
laptops, PDAs) should be examined regularly.
- The subject of WLAN usage must be handled in the security policy of the
organisation, and every change to the WLAN usage must be coordinated
with IT Security Management.
- To reliably secure the transmitted data, specifications must be worked out
that deal with, among other things, the selection and configuration of
adequate encryption and authentication methods as well as with key
management.
- The minimum WLAN standard, e.g. IEEE 802.11g, that must be supported
by the WLAN components must be defined to guarantee secure
interoperation of the individual components and to be able to use the
necessary security mechanisms throughout the entire coverage area.
Use of WLAN components
Many IT systems used by end users such as laptops or PDAs contain WLAN
functionality that is usually enabled by default. It must be ensured that no
"wild" WLAN usage is possible using this functionality, and there must be
clear rules stating whether or not it is permitted to use this WLAN
functionality (and if yes, under what conditions).
- Is the use of the WLAN permitted?
- Is there a documented strategy for WLAN usage?
- Has the minimum WLAN standard that needs to be supported by the
WLAN components used been specified?
____________________________________________________________________
..........................................
S 2.382
S 2.382 Drawing up a security policy for the use of
WLAN
Implementation responsibility: Head of IT, IT security management,
Administrator
Suitable security policies must be established for the use of WLAN
components in government agencies and companies. These WLAN-specific
security policies must conform to the general security concept and the general
security policies of the organisation. They must be checked regularly to ensure
they are up to date and modified if necessary. The WLAN-specific rules can
be added to the existing guidelines or can be collected in a separate guideline.
A WLAN security policy should contain the following points, among others:
- It should describe who is permitted to install, configure, and use WLAN
components in the organisation. A number of conditions must be specified
for this purpose, for example:
- Which information may be disclosed over WLAN components
- Where the WLAN components are used and where access points
may be set up
- Which internal or external networks the WLAN is permitted to
connected to
- Security safeguards and a standard configuration must be specified for all
WLAN components.
- When security problems are suspected, the person responsible for security
must be informed of this so that additional steps can be taken (see also
B 1.8 Handling of security incidents).
Handling incidents
- The administrators as well as the users of WLAN components should be
informed and/or receive training on the threats posed by WLAN
components and the corresponding security safeguards to follow.
WLAN security training
- The correct implementation of the security safeguards described in the
WLAN security policy should be checked regularly.
User guidelines for WLAN usage
To prevent overloading users with too many details, it may make sense to
create a separate WLAN user guideline. In this case, the user guideline should
contain short descriptions of the special aspects related to WLAN usage, for
example:
- To which other internal and external networks the WLAN client is
permitted to connect
- Under what general conditions clients are permitted to log in to an internal
or external WLAN
- If and how hotspots are allowed to be used
- That the ad-hoc mode is to be disabled so that no other client can directly
access the WLAN
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
S 2.382
- What steps need to be taken if it is suspected that a WLAN client has been
compromised, and in particular, who must be informed in this case
It is also important to clearly describe how to handle security solutions on the
clients. This includes, for example, rules stating that
- no security-related configurations may be changed,
- a virus scanner must always be activated,
- existing personal firewalls may not be disabled (see also S 5.91 The Use of
Personal Firewalls for Internet PCs),
- all shared directories or services must be deactivated or at least protected
by good passwords, and
- only special user accounts with restrictive rights should be used when
using an external WLAN.
In addition, the user guideline should contain a clearly stated ban on
connecting unauthorised access points. Furthermore, the guideline should
contain specifications, especially for the use of classified information such as
classified materials, of which data is used in the WLAN as well as of which
data is permitted to be transmitted over the WLAN and which not. Users
should be sensitised to WLAN threats and be familiar with the contents and
consequences of the WLAN guideline.
Guidelines for administrators of a WLAN
In addition, WLAN-specific guidelines for administrators should be created
which can be used as the basis for training the administrators. It should specify
who is responsible for the administration of the various WLAN components,
which interfaces are available between the administrators responsible for
operations, and when which information must flow between the persons
responsible. It is common for one organisational unit to be responsible for the
operation of the active components (distribution system and access points)
while a different organisational unit is responsible for supporting WLAN
clients or for identity and authorisation management.
The WLAN guidelines for administrators should also contain the essential,
core aspects of the operation of a WLAN infrastructure, for example:
- Specification of a secure WLAN configuration and definition of secure
standard configurations
- Use of a WLAN management system
- Selection and configuration of cryptographic methods including key
management
- Regular assessment of log files, but at least of the access points
- Performing WLAN measurements: the configuration and the network
coverage of access points and clients should be checked regularly using a
WLAN analyser and a network sniffer. When checking, unauthorised
WLAN clients and access points within the boundaries of the organisation
should be searched for in particular.
- Initial operation of replacement systems
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
S 2.382
- Safeguards when the WLAN has been compromised
Even if there are no WLANs officially installed in an organisation, IT Security
Management should still ensure that the systems are scanned regularly for
unauthorised WLAN component installations.
All WLAN users, both general users and administrators, should confirm with
their signature that they have read the contents of the WLAN security policy
and will follow the instructions defined in the security policy. No one should
be allowed to use the WLAN without this written confirmation. The signed
declarations should be kept in a suitable location, for example in the personnel
file.
- Is there an up-to-date security policy for WLAN usage?
- How do you check if the users are following the security policy for WLAN
usage?
- Does every WLAN user have a copy of the WLAN guidelines or an
instruction sheet with an overview of the most important security
mechanisms?
- Is the security policy for WLAN usage part of the training program on IT
security safeguards?
____________________________________________________________________
..........................................
S 2.383
S 2.383 Selection of a suitable WLAN standard
Administrator
In the context of WLAN planning, an analysis of the current situation must be
performed first to determine which of the systems in the organisation operate
in the ISM band at 2.4 GHz and in the 5 GHz band. After the analysis of the
current situation is complete, it can be determined from the analysis which
WLAN standard can be used. The WLAN standards IEEE 802.11,
IEEE 802.11b, and IEEE 802.11g use the 2.4 GHz band while the
IEEE 802.11a and IEEE 802.11h standards operate in the 5 GHz band. By
selecting the correct frequency band, interference in the WLAN generated by
other systems operated by the organisation can be prevented. Only the
IEEE 802.11 and IEEE 802.11i standards contain descriptions of security
mechanisms.
In addition to these technical considerations, the security mechanisms
available in the individual WLAN standards must be compared to each other.
In general, only methods generally recognised as secure should be used for
authentication and encryption. In this case, it must be ensured that recognised
cryptographic methods with sufficient key lengths as well as collision-free
hash procedures are used (see also S 2.164 Selection of a suitable
cryptographic procedure). When using WPA or WPA2, it is recommended to
use authentication procedures with mutual authentication. In procedures with
mutual authentication, the WLAN client must provide authentication to the
access point and vice-versa. A secret text, the pre-shared key, or the EAP
framework with a RADIUS server can be used for authentication purposes. If
a high protection level is required, then it is recommended to use device and
user authentication so that only those clients known to the organisation (and
configured according to the security policies) are permitted to access the
WLAN.
The IEEE 802.11 standard, for example, uses Wired Equivalent Privacy
(WEP) with static keys, which has been determined to be insecure. For this
reason, WLANs in which WEP is used should not be used without additional
security safeguards in areas in which confidential information will be
transmitted. In this case, the Wi-Fi Protected Access (WPA) method created
by the Wi-Fi Alliance should be selected. Even better is the use of the
supplemental IEEE 802.11i standard and WPA2 to secure WLAN
communication. The standard specifies the use of pre-shared keys with the
temporal key integrity protocol (TKIP), among others, to secure
communication in the WLAN. IEEE 802.11i itself prescribes the use of the
Counter Mode with Cipher Block Chaining Message Authentication Code
Protocol (CCMP) as a prospective method for authentication which also
guarantees additional confidentiality using the Counter Mode method.
Likewise, CCMP uses the Advanced Encryption Standard (AES) to encrypt
the information, in contrast to the use of RC4 in WEP and WPA.
WEP is insecure,
WPA/WPA2 is better

____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
S 2.383
A careful examination of each of the WLAN standards, especially in terms of
their security functions, is unavoidable and must always be performed. It is
possible to decide on the use of a certain WLAN standard only after detailed
assessment of each of the standards. The reasons for the decision must be
documented so that the decision can be understood later.
- Which protocols and standards were selected for WLAN operation?
- Have the reasons for the choice been documented?
____________________________________________________________________
..........................................
S 2.384
S 2.384 Selection of suitable crypto-methods for WLAN
Administrator
To guarantee secure operation of a WLAN, it is necessary to completely
secure the communication over the wireless interface. Without adequate
encryption, there is a risk that unauthorised persons could read the data
transmitted over the WLAN. Likewise, an inadequately protected WLAN
offers a point of attack to any LAN it is connected to, if any. Furthermore, the
integrity of the data must be ensured so that manipulations to this data can be
detected. Use of a (mutual) authentication procedure among the WLAN
components is also important.
In the IEEE 802.11 and 802.11i WLAN standards, various cryptographic
methods are described which can be used to secure a WLAN. They must be
selected and applied depending on the area of application, required protection
level, and size of the organisation.
Wired Equivalent Privacy (WEP)
WEP is the oldest and most common encryption standard for WLANs and is
described in the IEEE 802.11 standard. WEP only offers an absolute minimum
of protection against unintentional reading of data and accidental logins.
WEP is currently considered to be outdated and insecure since a number of
security gaps have been found. WEP should therefore be considered
unsuitable for use in securing WLANs and should not be used any more.
WEP is outdated and
insecure
If no other cryptographic methods other than WEP are available and the
WLAN components will continue to be operated anyway, then WEP should be
activated. In this case, the maximum key length should be selected and the key
should be changed regularly by hand (at least once per day). Such a decision is
to be documented, and all users of the WLAN must be informed of the
decision. Such an inadequately secured WLAN may only be used in uncritical
areas, for example when it is only used to access the Internet. It must be
ensured, though, that no sensitive data is transmitted over the WLAN or is
accessible over its connected WLAN components when the WLAN has only
been secured using WEP.
WPA, WPA2, and IEEE 802.11i
IEEE 802.11i is considered to be the new security standard for WLANs, parts
of which correspond to Wi-Fi Protected Access 2 (WPA2) from the Wi-Fi
Alliance. In contrast to WPA, which corresponds to Draft 3.0 of IEEE 802.11i
and which was also published by the Wi-Fi Alliance, WPA2 and IEEE 802.11i
use the Advanced Encryption Standard (AES) as the encryption algorithm. In
WPA, just like in WEP, RC4 is still used as the encryption algorithm. Both
WPA and WPA2/IEEE 802.11i provide additional protection using the
optional Temporary Key Integrity Protocol (TKIP) through dynamic key
generation. Furthermore, in WPA2 and IEEE 802.11i the use of CCMP as the
implementation method for AES is prescribed to ensure integrity.
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
S 2.384
If possible, a WLAN should be secured everywhere and consistently using
WPA2 and CCMP (but at least WPA with TKIP) since they use stronger
algorithms for encryption and ensuring integrity. Weaker methods are
unacceptable according to the current state of the art.
Pre-shared keys (PSK) can be used for user authentication. These keys are
used the first time a connection is established for the purpose of providing
authentication to another WLAN component. If pre-shared keys are used, then
it must be ensured that the keys are significantly longer than the usual six to
eight characters since the security of the encrypted data depends on the key
length. This method is only practical, though, for small WLAN installations;
an EAP method according to IEEE 802.1X should be used for large WLANs.
The following table provides a better overview of the various security
mechanisms:
WEP WPA 802.11i (WPA2)
Encryption
algorithm
RC4 RC4 AES
Key length 40 or 104 bits 128 bits (64 bits
for authentication)
128 bits
Key Static Dynamic
(PSK)
Dynamic
(PMK)
Initialisation
vector
24 bits 48 bits 48 bits
Data integrity CRC-32 MICHAEL CCMP
TKIP and CCMP
The Temporary Key Integrity Protocol (TKIP) is based on WEP as a
downward-compatible solution, but it does not eliminate its main weaknesses.
For TKIP, IEEE 802.11i solved the problem of poor integrity checks in WEP
through the additional use of the MICHAEL method (for checking message
integrity). TKIP and MICHAEL should be understood as temporary solutions.
CCMP stands for CTR Mode (Counter Mode) with CBC-MAC Protocol
(Cipher Block Chaining Message Authentication Code). In this case, the plain
text is not encrypted directly with AES, but instead with a counter formed
from the symmetric key. The actual result of the encryption is then obtained
by XOR-ing a block of the plain text with the AES-encrypted counter. In
addition, the Cipher Block Chaining method (CBC) is used to ensure data
integrity. The use of IEEE 802.1X is required in this case to manage and
distribute the keys. A key length of 128 bits is used in IEEE 802.11i.
Extensible Authentication Protocol (EAP)
The Extensible Authentication Protocol (EAP) according to the IEEE 802.1X
standard can be used for additional protection of the authentication procedure.
EAP is described in detail in RFC 3748. In this case, the user logs in to an
authentication instance, e.g. a RADIUS server, and this instance checks for
access authorisation before handing over the session key.
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
S 2.384
EAP supports a series of authentication methods so that certificates and two-
factor authentication procedures can be used.
EAP methods which can be used in a WLAN include, for example:
- EAP-TLS
In EAP-TLS, which is defined in RFC 2716, mutual authentication is
performed based on X.509 certificates. For authentication, the partner to be
authenticated must prove that it knows the private key corresponding to the
public key known by its communication partner. Subsequently, methods
must be established to distribute and manage the corresponding certificates.
The establishment and operation of a Public Key Infrastructure (PKI)
requires careful planning (see for example S 2.232 Planning the Windows
2000 CA structure). The keys themselves are exchanged over a tunnel
secured using TLS.
- EAP-TTLS
In EAP-TTLS, in contrast to EAP-TLS, the WLAN client does not have to
possess its own certificate. Only the server needs a valid certificate in
EAP-TTLS. Using a tunnel secured with TLS, other possibly less secure
methods can be used for client and/or user authentication. EAP-TTLS is,
like EAP-TLS, a key-generating method, i.e. a new session key is created
every time a communication link is established. The key is then used to
secure the tunnel using TLS.
- EAP-PEAP
EAP-PEAP is also a key-generating method and, similar to EAP-TTLS,
only the authentication server requires a valid X.509 certificate. In contrast
to EAP-TTLS, though, only other EAP methods can be used for client
authentication in the secured tunnel such as EAP-MSCHAPv2 or EAP-
TLS, for example. In this case, combination with EAP-MSCHAPv2 is
interesting for networks which primarily use Windows 2000 or Windows
XP as the client operating system since this method is supplied with the
operating system.
Additional EAP methods are described in the IEEE 802.1X standard or in the
Secure WLAN technical guideline from BSI.
In general, for larger installations it makes sense to implement EAP user
authentication according to IEEE 802.1X. Modern WLAN components
support IEEE 802.11i, and therefore already support WPA2. When purchasing
new WLAN components, always check beforehand to see if the components
also support the corresponding EAP methods.
WPA2 with EAP
Key management
The cryptographic keys used to protect communications or for authentication
must be changed regularly (see S 2.388 Appropriate key management for
WLAN).
For all WLAN components, it must be ensured that they do not accept any
cryptographic methods with a lower level of protection than the selected
method when establishing a connection to other WLAN components.
Connections to such components must be rejected.
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
S 2.384
- Was a suitable encryption method selected? Was this decision
documented?
- Do all WLAN components support the selected WLAN security standard,
for example IEEE 802.11i, so that compatibility problems are avoided?
____________________________________________________________________
..........................................
S 2.385
S 2.385 Selection of suitable WLAN components
Administrator
When selecting WLAN devices, you must first ask if the devices fit the
WLAN security strategy. There are numerous types and device classes of
WLAN components. They not only differ in terms of the features they offer,
but also in terms of their security mechanisms and ease of use. In addition,
they place different requirements on hardware and software components in the
operational environment.
Due to the numerous different types of WLAN components, compatibility
problems can be expected. The most important criteria for the selection of
WLAN components are therefore security and compatibility.
If it has been decided to build a WLAN in an organisation, then a list of
requirements should be created with which the products available on the
market are evaluated. The products to be purchased should then be selected
based on the evaluation. Based on various requirements for use, it has been
shown in practical applications that it may be perfectly sensible to select
several types of devices for purchase. The variety of devices should be
limited, though, to simplify support. An important criterion when purchasing
WLAN components is their compatibility to existing devices.
List of requirements
When purchasing the devices, the data throughput and range should also be
considered. Using external antennas, the range of WLAN components can be
improved. However, it must be ensured in this case that the emissions do not
radiate into areas in which the WLAN is not intended to be used and should
not be used because of the increased range.
When purchasing access points, the following should be checked, among other
items,
Criteria for access points
- How many channels can be set
- If the SSID can be set
- If the SSID beacon can be deactivated
- Which cryptographic methods are implemented (WEP, WPA, WPA2, and
others)
- If the Open System mode as well as the Shared Key mode can be specified
for authentication (the latter is unfortunately not always available by
default)
- To what extent EAP methods according to IEEE 802.1X are supported
- If administration over secure lines of communication, e.g. SSH or SSL, is
possible and insecure protocols such as HTTP or Telnet, for example, can
be disabled
- If IP and/or MAC address filtering is possible
- If ACLs can be set up for access over the WLAN, a connected LAN, or to
configure the access points
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
S 2.385
- If a packet filter is already integrated
- If additional mechanisms for access control are available (filtering based
on various criteria such as the port numbers, applications, URLs, etc.)
- If tunnel protocols like PPTP or IPsec are supported
It absolutely must be tested if the designation of the cryptographic method
implemented is not only exactly like the designation of the method used by the
other WLAN components, but also if the methods work together correctly.
The correct configuration of the access points is an essential aspect of security.
On some access points, configuration is possible wirelessly directly over the
WLAN, which is usually touted by the manufacturers as being comfortable.
This also poses security problems, and configuration over the WLAN should
not be done, but if such functionality is available, you should at least be able
to switch it off (and it should be switched off at all times during operation).
Many access points also offer the ability to connect over a serial or USB
interface to a management console to enable easy configuration. The
management console can then be administered via HTTP or Telnet over the
Intranet or Internet. In this case, the remote access must be reasonably secure,
for example by securing the communication with SSL or SSH. Remote access
over the Internet should generally be examined critically.
Access to the WLAN components for administration purposes should only be
possible by authorized persons. For this reason, it should be examined how
this access is secured. If access is secured via passwords, then the passwords
selected should be as complex as possible (see S 2.11 Regulation of password
usage). It is better, though, to use strong authentication methods for
administration accesses (see also S 4.133 Appropriate selection of
authentication mechanisms).
Implementation of the necessary security rules on access points is often very
complicated. In addition to key management, you also need to specify the
settings necessary for the various parameters and options. There are now
solutions available for some access points to control them in an organisation
over a central server. Unfortunately, only proprietary solutions have been
available so far, and they only support the WLAN components of the
particular manufacturer.
Since it can take a lot of time and effort until the network administrator has
determined the correct configuration, especially for network switching
elements, it should be possible to save the configuration.
The language used in the online help system and documentation of the WLAN
components should be formulated so that future users and administrators will
be able to understand the technical descriptions.
Interoperation with the corresponding infrastructure
When purchasing, all WLAN components should be checked to determine if
they operate correctly with the corresponding infrastructure. This includes
checking the following, for example:
- The authentication method used in the WLAN must be supported by the
clients and access points as well as by the authentication server.
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
S 2.385
- If authentication according to IEEE 802.1X is performed in the WLAN,
then the access points must support the EAP authentication method and
process the information transmitted in the IEEE 802.1X specification
correctly.
- It must be examined if the authentication server can be operated without its
own, separate database for user authentication and if it can pass the
authentication requests to a central user database using securing querying
methods instead.
When purchasing for a large WLAN installation, the corresponding tests must
be performed before actually purchasing. The degree of fulfilment of the
technical requirements can be evaluated with the help of a test catalogue.
These tests make it easier later on to actually install the WLAN and obtain
approval.
- Was adequate consideration given to security aspects when selecting the
WLAN components?
- Was compatibility with the existing WLAN components checked?
____________________________________________________________________
..........................................
S 2.386
S 2.386 Careful planning of necessary WLAN migration
steps
Implementation responsibility: Administrator
Due to the rapid development of WLAN technology, migration from an
existing installation to new protocols, technologies, or products can seldom be
prevented. In general, there are two different types of migration:
- Migration of the transmission technology (e.g. from IEEE 802.11g to
IEEE 802.11h)
- Migration of the WLAN security mechanisms (e.g. from WEP to WPA-
PSK or IEEE 802.11i with IEEE 802.1X)
In the first case, the entire planning process for a WLAN must be carried out,
from the assessment of the risk to the selection of suitable security safeguards.
In the second case, it may be necessary to temporarily operate different
security systems in parallel and extend the configurations of the access points,
distribution system, and connection point to the WLAN. The use of WLAN
components or WLAN areas not yet migrated must be reduced to a minimum
through the corresponding technical and organizational specifications, if
necessary. For example, it may be necessary to prohibit access to sensitive
data from components not yet migrated or secure the WLAN area not yet
migrated from the rest of the WLAN and LAN using an additional DMZ.
If it is necessary to operate two different security mechanisms in parallel, e.g.
WPA-PSK or WPA2-PSK and WEP, then the following points must be
considered:
- The duration of parallel operation should be kept as short as possible.
- If WEP and pre-shared keys are used simultaneously, then particular care
must be taken to ensure that the keys are changed often (at least daily) and
that only complex passwords can be used (see S 2.388 Appropriate key
management for WLAN).
- Access points must permit the operation of both mechanisms at the same
time during the migration phase. Access points that support a maximum of
WEP must be replaced as quickly as possible and removed from the
WLAN.
- WLAN clients that only support WEP (e.g. a printer or a PDA) should only
be switched on when they are needed. They should be replaced by clients
that support WPA2 as quickly as possible.
- WLAN components such as WLAN printers should not be configured over
the wireless interface, if it is possible to disable this, but over the console
port of the component instead.
In all cases, each of the migration steps must be planned carefully. The
migration should also be used to consolidate an expanded the WLAN
infrastructure, and the WLAN administrators and WLAN users should receive
additional training.
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
S 2.386
If the login procedure for the WLAN users changes due to the introduction of
new WLAN authentication mechanisms, then the users must also receive
additional training. Furthermore, the WLAN user guidelines should be
adapted to reflect the new procedures.
- Is there a plan for the migration of the WLAN technology available? Is the
length of time required for migration specified?
- Has it been ensured that components with weaker protection do not have
access any more to sensitive data?
____________________________________________________________________
..........................................
S 2.387
S 2.387 Installation, configuration, and support service
for a WLAN by third party
Administrator
If a WLAN will be installed, configured, or supported by an external
contractor, then the points described in the following must be taken into
account in addition to the recommendations in module B 1.11 Outsourcing for
the WLAN:
- It should always be checked if the WLAN installation can be performed in-
house or by the organisations own employees. A feasibility study and a
cost study should be performed for this purpose.
- The security strategy and the security policy should always be created by
the organisation itself and not by third parties. This prevents the possibility
that no one deals in detail any more in the organisation with the security
aspects of WLANs, and therefore possibly forgetting any necessary
security safeguards. It does make sense to use consulting services and the
services offered by third parties when there are no resources available for
this internally.
- When awarding the contract for a WLAN installation, a detailed
requirements specification must be created. It must contain all minimum
requirements on the WLAN components and precisely define all network
components connected to the WLAN, etc. The requirements specification
should be used as the basis for the contract when awarding the contract to
an external contractor, and serves later on as the basis for the tests
conducted for approval.
- The contractor is to be provided with the security strategy and the security
policy for the use of WLANs. The contractor must promise in the contract
to follow and implement these policies and strategies. The performance of
the services agreed to in the contract must be checked regularly to enable
early detection of any eventual problems. The security strategy and the
security policy should be a permanent part of the requirements
specification.
- The contractor should possess extensive and, ideally, many years of
experience in the installation and securing of WLANs. The corresponding
references must be submitted, and random spot checks of the references
must be made.
- The contractor must promise in the contract that he will not pass the
configuration of the WLAN and of the WLAN components or any
passwords, connection keys, access codes, and access mechanisms on to
any unauthorised persons. Likewise, the contractor should be made to
promise that any information or data that he may eventually obtain
knowledge of due to working on the rest of the network will not be stored
temporarily or handed over to any unauthorised persons.

____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
S 2.387
- Before the contractor installs the WLAN, corresponding tests must be
performed. The tests should test all planned security settings in detail.
During this phase, any LANs connected to the WLAN are especially at risk
and should be secured accordingly.
- It must be ensured that no back doors are built into the WLAN by the
contractor while the contractor is installing the WLAN. All settings and
configurations must be documented accurately by the contractor and
handed over in full to the client upon completion of the installation.
- After finishing the installation, the approval process should be performed
based on the specifications. Furthermore, the execution documentation
created in the requirements specification after awarding the contract serve
as the basis for testing since this documentation may specify methods for
taking measurements during the approval process, for example.
- The WLAN installation should be approved with the help of an
independent expert so that the technical details can be checked precisely as
well.
- If a wireless IDS was also purchased, then tests must be conducted in the
appropriate test scenarios, which must have been specified in advance of
the tendering for bids. In this case, it makes sense to operate the WLAN
initially in a test environment. The tests should also verify if the entire
monitoring area is also actually being monitored by the WLAN sensors. In
addition, various malfunctions should be simulated.
- One of the main points of emphasis during approval is checking the
documentation for completeness and any possible inconsistencies.
- If the WLAN will also be supported after installation by an external
contractor, then the contractor must also promise in the contract that he
will not pass any information such as passwords, sensitive data,
configuration settings, etc., on to unauthorised persons. Likewise, a
contingency plan should also be created together with the contractor. When
creating the contingency plan, the severity, the reaction time, the
corresponding steps to take, and who must be informed in case of an
emergency must be precisely defined for each possible problem that could
occur in the WLAN.
- Has the contractor been provided with the security strategy and the security
policy for WLAN usage?
- Was a contingency plan for problems in the WLAN created together with
the contractor?
____________________________________________________________________
..........................................
S 2.388
S 2.388 Appropriate key management for WLAN
The use of cryptographic security mechanisms requires the confidential,
integral, and authentic generation, distribution, and installation of suitable
keys (see also S 2.46 Appropriate key management). When using WEP and
WPA-PSK or WPA2-PSK, the security of the WLAN depends primarily on
the selection of suitable WLAN keys that have not been compromised. For
this reason, a suitable method for key management must be selected which fits
the existing cryptographic mechanisms. In this case, we differentiate between
two types of key management: static (manual) and dynamic key management.
WEP
In WEP, only a single, static key is used, i.e. the same WEP key must be
entered in every WLAN component in a network. Furthermore, WEP has no
provisions for dynamic key management so that the keys need to be
administered manually. Since WEP keys can be compromised in a very short
amount of time, WEP should not be used any more. However, if it is
necessary for some reason to use WEP, then the keys must be changed
regularly by hand (at least once per day).
WPA / WPA2 with TKIP or CCMP
WPA uses TKIP, which permits the use of dynamic cryptographic keys
instead of just the static keys permitted by WEP. In IEEE 802.11i (WPA2),
CCMP is also used as the cryptographic method for ensuring data integrity
and for encrypting the user data.
TKIP and CCMP are symmetric methods, which means all communication
partners must have a shared key configured. This key is referred to as the
Pairwise Master Key (PMK). The Pairwise Master Key (PMK) can be sent to
the participating WLAN components in one of two ways:
- Static key: The PMK can be configured manually (similar to WEP) as a
static key, referred to as a pre-shared key (PSK), on access points and
clients. It is usually possible to specify the shared, secret key using
passwords. These passwords are used to calculate the PMK using hash
functions. If such a PSK is not complex enough (in terms of the length of
the key and the randomness of the characters), then it is vulnerable to
dictionary attacks. For this reason, these passwords should be highly
complex and have a length of at least 20 characters. Once a WLAN reaches
a certain size, it becomes much more difficult to roll out a new key.
It is possible to use PSK in combination with WPA or WPA2. If WPA-
PSK or WPA2-PSK will be used, then it is recommended to change the key
every three to six months to protect communications and for authentication
purposes.
- Dynamic key: Dynamic key administration and distribution offers a
mechanism with a higher level of security which ensures that a new key
(PMK) is provided regularly, and especially after a WLAN client has
successfully provided authentication on the access point.
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
S 2.388
To achieve key administration and distribution, IEEE 802.11i falls back on
another standard, the IEEE 802.1X standard. This standard was designed
for port-based network access control in cable-based networks. The basic
idea in IEEE 802.1X is that a network port is only activated when the user
has successfully provided authentication for the network. Authentication is
therefore performed in Layer 2. In order for such a procedure to even
function at all, IEEE 802.1X specifies an interface between the client, the
network element, and an authentication system. This interface is based on
the Extensible Authentication Protocol (EAP) and the adaptation of this
protocol for transmission in Layer 2 in a LAN (referred to as EAP over
LAN or EAPOL). This means the specification of a function for key
administration and distribution go hand-in-hand.
In general, the keys of all WLAN components should be changed at regular
intervals, but at least once every 3 months. In large installations, the central
WLAN management solution should contain a suitable function for this
purpose to keep the amount of work necessary to a minimum.
The changing of the key information should be tested specifically on all
WLAN components during the planning phase so that any possible problems
with changing the keys are detected early.
- Was the test in which the key is changed performed on all WLAN
components?
- Is there a schedule available specifying when to change the key
information?
____________________________________________________________________
..........................................
S 2.389
S 2.389 Secure use of hotspots
Implementation responsibility: Users
Hotspots are areas with local wireless access whose coverage area may be
limited to a room, a hall, or a production facility, for example. Usually,
hotspots are set up specifically for use by external subscribers. They are used
mainly to provide wireless access to the Internet. Hotspots are often found in
hotels, airports, trade fairgrounds, train stations, and convention centres.
Hotspots should always be considered insecure networks because, on one
hand, it is difficult from the outside of these networks to assess the level of
security available, and on the other hand because most hotspots offer their
services in the form of shared networks. They generally permit every end
device access to all other end devices in the network. If it is generally
impossible to estimate the risk posed by a hotpot, then it is also possible to
completely prohibit the use of hotspots in the WLAN security policy. In this
case, though, it must also be ensured through technical means that a WLAN
client cannot access such a hotspot.
The operators of hotspots can do a lot to ensure the security of the wireless
access and other services they provide (see S 4.293 Secure operation of
hotspots), but without the co-operation of the users, it is impossible to achieve
a proper level of security. The following safeguards, among others, should be
taken by the users:
- The users should ask which security precautions have been taken on the
hotspot so they can estimate the security level of the network and the
trustworthiness of the operator.
- Before using the network, the users should ask about the prices and how
the services are billed. From the point of view of a consumer, it would be
interesting to know how much personal data needs to be disclosed and how
this data will be handled. The users should also make sure that their
authentication data is not stored and cannot be misused on the hotspot.
Authentication should always be performed in encrypted form.
- Every user of a hotspot should be aware of his or her security requirements
and decide if, and if yes, under what conditions it is acceptable to use the
hotspot based on these requirements.
- Whenever financial, personal, or other sensitive data such as credit card
numbers, PINs, passwords, or even e-mails need to be transmitted, it must
be ensured that all necessary security safeguards are activated on the client,
and in particular that encryption is enabled. Examples in this case would be
the secure processing of e-mails over a HTTPS web interface and the
secure Internet protocols (Secure POP, IMAPS, and SMTP with SSL/TLS)
used for precisely this purpose.
Use encryption
- When the operator guarantees encryption is enabled for wireless access,
then encryption is not necessary any more at the application level.
Encryption should still be enabled, though, as an additional security
safeguard since this encryption is under the control of the user.
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
S 2.389
Passwords in particular should never be sent over an external network
without encryption.
- To access an internal network of an organisation, an encrypted connection
for the WLAN client should be established over a trusted access point of
the organisation.
- If you are located in an area with a hotspot but do not want to use the
hotspot, then the WLAN interface on the WLAN client should be disabled
to prevent accidentally logging in to the hotspot.
- If the operator offers certificates for authentication on the hotspot, then the
users should check the certificates to ensure they are correct. Even though
it may be annoying, the plausibility of specifications such as the
fingerprint, validity period, owner, and certifying body of the certificate
should be checked.
Is the certificate correct?
- In general, additional local safeguards should be implemented on all
mobile clients which are able to log in to different WLANs. Examples of
such safeguards include access protection, user authentication, virus
protection, personal firewalls, restrictive sharing of files and resources at
the operating system level, local encryption, etc. Additional safeguards for
WLAN clients can be found in safeguard S 4.297 Secure operation of
WLAN components.
Securing the clients
- When using hotspots, it is also recommended to create special user
accounts with secure basic configurations and limited rights. A user with
administrator rights should never log in to an external network from his or
her client.
- Have the users been informed of the rules to be followed and security
safeguards to be activated when using hotspots?
____________________________________________________________________
..........................................
S 2.390
S 2.390 Withdrawal from operation of WLAN
components
When WLAN components need to be taken out of operation, all sensitive
information on them must be deleted. In particular, the authentication
information used to access the WLAN and other accessible resources stored in
the security infrastructure and other systems must be deleted or declared
invalid. This means that cryptographic keys must be securely deleted and
certificates for digital signatures need to be blocked, for example.
Taking WLAN clients out of operation
A variety of devices are used as WLAN clients. These devices include, among
others:
- Laptops
- PDAs, smart phones, and similar devices with WLAN support
- WLAN-enabled telephones, printers, and cameras
The WLAN functionality is typically one of a number of various other
functions on these end devices. When taking these end devices out of
operation, you must therefore examine such devices to determine if they
contain WLAN information critical to security that needs to be deleted,
transferred, or archived, e.g.:
- Information on the users of the end device
- Certificates and the corresponding private keys (for users or devices)
- Passwords for WLAN access
- Keys for authentication methods such as WPA-PSK keys, for example
- PIM data, i.e. contact information, deadlines, etc.
Suitable methods must be used to destroy, delete, or reuse this data depending
on device and storage method. For certificates, for example, you need to make
an entry in the corresponding CRL to revoke the certificate.
If a WLAN client is stolen, then a minimum of all information listed above
must be taken into account, and it must be ensured that the information cannot
be used any more to access the WLANs of the affected organisation.
Taking access points out of operation
The same applies when taking access points out of operation as when taking
WLAN clients out of operation. A minimum of the following security-related
information must be deleted, transferred, or archived (when applicable):
- Pre-shared keys (PSK) for WPA or WPA2
- RADIUS keys (RADIUS shared secrets)
- IPSec keys (PSKs or private keys for certificates)
- User data (especially if WLAN user administration is integrated)
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
S 2.390
- Configuration information such as IP addresses and the names of RADIUS
servers, name of the access point itself, its IP address, and its SSID
Suitable methods must be used to destroy, delete, or reuse this data depending
on device and storage method. The corresponding method must be selected
and tested in time.
Access points often contain additional data (for example configuration data)
stored in non-volatile storage or have information written on them (for
example the name of the computer, SSID, IP address, and other technical
information). This information should be removed if possible before handing
over the device since an attacker may also be able to obtain data which can be
used in possible attacks from such information.
It is recommended to create a checklist based on the recommendations
provided above which can be used when withdrawing a system from operation
so that no steps are forgotten or skipped.
- Have suitable methods for destroying, deleting, or reusing security-related
information on WLAN components been specified?
Safeguard Catalogue Personnel Comments
____________________________________________________________________
..........................................
S 3.58
S 3.58 Introduction to WLAN basics
Administrator
WLANs can be operated using two different architectures. In the ad-hoc
mode, two or more mobile end devices which are equipped with a WLAN
card (clients) connect directly with each other.
In most cases, WLANs are operated in the infrastructure mode, which means
the clients communicate through a central wireless link, referred to as the
access point. Connection to cable-bound LAN segments is then obtained
through the access point.
There are several different ways to implement the infrastructure mode:
- Using several access points, overlapping wireless cells can be installed so
that the wireless connection is maintained when a client moves to the next
wireless cell ("roaming"). In this manner, large areas can be provided with
wireless access coverage. The range of a wireless cell is extremely
dependent on the environmental conditions and is usually within a range of
approximately 10 to 150 metres.
- Two access points can also be used as a link (bridge) between two cable-
bound LANs. Likewise, it is also possible to use an access point as a relay
station (repeater) to increase the range.
- When the corresponding components (directional antennas) are used on the
access points, a WLAN can also be used to network different locations.
According to manufacturer specifications, ranges of up to several
kilometres can be obtained. The access points can be operated as relay
stations or bridges in this case.
In the IEEE 802.11 standard, the term Independent Basic Service Set (IBSS) is
used for wireless networks in the ad-hoc mode, and Basic Service Set (BSS) is
used for constellations in the infrastructure mode with an access point. A set
of BSSs linked together is referred to as an Extended Service Set (ESS), and
the linked network is called the Distribution System (DS).
The WLAN systems designed according to IEEE 802.11, 802.11b, and
802.11g permitted for use in Germany and in almost all European states use
the ISM (Industrial-Scientific-Medical) frequency band between 2.4 and
2.48 GHz, which can be used for free and without any additional licenses. The
transmitting power is limited to a maximum of 100 mW EIRP (effective
isotropic radiated power).
Systems based on the IEEE 802.11 standard transmit data at a rate of 1 or
2 Mbit/s using a band spreading method; either the Frequency Hopping
Spread Spectrum (FHSS) or the Direct Sequence Spread Spectrum (DSSS)
method. For reasons of completeness, we would like to point out that 802.11
also defines an infrared transmission method, but the use of this method in
practical applications has been insignificant to date.

____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
S 3.58
Systems designed according to IEEE 802.11b use only the DSSS method. The
data to be transmitted is spread using fixed code to make the transmission less
susceptible to interference. Access to the wireless channel is obtained, as in all
systems in the 802.11 standard, according to a random procedure referred to as
Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA). The
maximum gross data transmission rate for IEEE 802.11b is 11 Mbit/s. The
transmission rates cannot be guaranteed in any of the systems based on the
802.11 standard since they depend on the number of clients and the quality of
the wireless transmission route.
Systems based on the IEEE 802.11g standard use the Orthogonal Frequency
Division Multiplexing (OFDM) transmission method based on IEEE 802.11a
and therefore permit data rates of up to 54 Mbit/s.
In the 2.4 GHz frequency band in Germany, there are 13 frequency channels
available with a distance between frequencies of 5 MHz for wireless
transmission based on 802.11b. For a channel bandwidth of approximately
22 MHz, though, a maximum of only 3 channels can be used simultaneously
without overlapping, for example channels 2, 7, and 12.
Systems based on the IEEE 802.11a and 802.11h standards use the 5 GHz
band. In Germany, there are a total of 19 channels in intervals of 20 MHz
authorised for use with some restrictions in the frequency range from 5.15 to
5.35 GHz and from 5.47 to 5.725 GHz. For a channel bandwidth of 20 MHz,
channels directly next to each other will not interfere with each other. Since
military and civil radar and navigation applications also operate in the 5 GHz
frequency range, only systems supporting dynamic frequency selection and
the ability to change the transmitting power are permitted to be used in this
band.
Overview of security mechanisms
The security mechanisms in all 802.11-compatible systems are defined in the
IEEE 802.11 standard. The extensions a, b, g, and h to the standard do not
offer additional security mechanisms, and only extension i defines new
security mechanisms. The mechanisms defined in IEEE 802.11 only serve to
secure the transmission route between the clients and access points.
Furthermore, the standard also provides enough freedom to allow proprietary
extensions.
All security mechanisms in the IEEE 802.11 standard presented in the
following can be overcome and do not provide reliable protection for sensitive
information.
- The standard offers the ability to assign a name to the network (ESSID or
SSID: (Extended) Service Set Identity). There are two modes of operation
in this case. If the user specifies the identifier "Any", then the WLAN
component accepts any SSID. In the other case, the name entered is
checked, and only those clients with the same SSID are permitted to
connect to the network. When moving between two neighbouring wireless
cells, the SSID is used to find the next access point. Since the SSID is sent
in plain text over the network, an attacker can obtain it using only simple
tools. Some access points offer the ability to suppress the transmission of
the SSID in the broadcast mode.
Network name (SSID)
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
S 3.58
The suppression of the SSID in this manner does not conform to the
standard, though.
- Every network card has its own unique hardware address, which is referred
to as the MAC address (Media Access Control address). In principle, it is
possible to define MAC addresses in a WLAN so that only these addresses
are permitted to communicate with an access point. The list of addresses
must be administered "by hand" in this case, though, which can be timely
and become complex. This is impossible in many operational scenarios.
The filtering of MAC addresses is not part of the standard; yet filtering
MAC addresses conforms to the standard since the filtering has no effect
on the compatibility of the clients.
MAC address
- Confidentiality, integrity, and authenticity in the WLAN should be ensured
using the "Wired Equivalent Privacy" (WEP) protocol. The WEP protocol
is based on the RC4 stream cipher and converts the plain data packet-by-
packet into encrypted data based on a key and an initialisation vector (IV).
The key in this case is a character string containing 40 or 104 bits and
which must be provided in advance to the clients in the WLAN as well as
to the access point. A shared key is used in this case for the entire WLAN.
The initialisation vector is selected by the sender and should be different
for each data packet transmitted. The IV is prefixed in unencrypted form to
the encrypted data packet and transmitted over the WLAN.
WEP encryption,
integrity protection, and
authentication
WEP only encrypts the transmitted user data and the integrity checksum.
Management and control frames are not encrypted on the wireless
interface, though.
During the development of the IEEE 802.11i standard, the Wi-Fi Alliance
published the Wi-Fi Protected Access (WPA) method based on Draft 3.0 of
IEEE 802.11i. WPA already contains several improvements to the security
mechanisms and describes the use of the Temporary Key Integrity Protocol
(TKIP), essentially based on the Wired Equivalent Protocol (WEP), in
combination with the MICHAEL integrity checksum method to encrypt the
data packets. Through the use of MICHAEL, WPA solves the problem of the
poor integrity check in WEP. TKIP and MICHAEL are to be understood as
temporary solutions since the use of TKIP is only an option; its use is not
mandatory according to the WPA specification.
In the IEEE 802.11i standard, which corresponds to WPA2 of the Wi-Fi
Alliance except for the fact that it provides more freedom in the selection of
the EAP method, the use of a different encryption method, the CTR mode
(Counter Mode) with CBC-MAC Protocol (Cipher Block Chaining Message
Authentication Code, CCMP) is prescribed. This method uses the Advanced
Encryption Standard (AES) to encrypt the authentication and user data, in
contrast to RC4 in WEP and WPA. During authentication, the plain text is not
encrypted directly with AES, but from a counter constructed from the
symmetric key instead. The actual result of encryption is then obtained by
XOR-ing a block of the plain text with the AES-encrypted counter. In
addition, the Cipher Block Chaining method (CBC) is used to ensure the
integrity of the data. The use of IEEE 802.1X is required for key
administration and distribution.

____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
S 3.58
An AES key length of 128 bits is used in IEEE 802.11i. This method is
acceptable over the long term, but requires new hardware - in contrast to the
TKIP version.
The Extensible Authentication Protocol (EAP) according to the IEEE 802.1X
standard can be used for added protection of the authentication procedure.
EAP is described in detail in RFC 3748. In this case, the user logs in to an
authentication instance, for example a RADIUS server, and this instance then
checks for access authorisation before the session key is exchanged. EAP
supports a series of authentication methods so that certificates and two-factor
authentication can be used.
- Have the users, and especially the administrators, been trained in the
operation and security mechanisms of the WLAN?
- Were the users informed of the security mechanisms available in the tools
used, and have they been trained in their use?
____________________________________________________________________
..........................................
S 3.59
S 3.59 Training on the secure use of WLAN
Administrator
When operating WLAN components, it is necessary to have a wide range of
knowledge of the basic methods of operation and of special technical versions,
but also of a number of security aspects. For this reason, it is absolutely
essential to inform those responsible for the IT as well as the IT Security
Management of the basics of WLAN.
Training administrators
The administrators who operate WLAN components should possess practical
knowledge as well as theoretical knowledge. WLAN training courses for
administrators should handle the following subjects, among others:
- Overview of security aspects for WLANs
- Typical threats
- SSID, operating modes, establishing connections, address filtering,
preventing spoofing, MAC address filtering
- Selection of appropriate security mechanisms, authentication, and securing
communications
- WEP, WPA, WPA2, IEEE 802.11i, IEEE 802.1X
- Key management in TKIP, CCMP, etc.
- Authentication mechanisms in the WLAN, for example EAP,
RADIUS
- Detecting WLANs
- Security safeguards for WLAN operation
- Security-related WLAN configuration parameters
- System management
- Network analysis programs and wireless intrusion detection systems
- VPNs for WLANs, IPSec, DHCP
- Interaction of WLANs with security gateways
- Securing WLAN components against unauthorised access
Training users
The users of WLAN components, especially of WLAN clients, must be
trained as well. During training, the users should become familiar with the
method of operation and secure operation of the WLAN components. The
meanings of the security settings and why they are important must be
explained in detail to the users. In addition, they need to be informed of the
threats posed when these security settings are overridden or deactivated for the
sake of convenience or to reduce the number of annoying warning messages.
By sensitising the users to specific threats, it is possible to achieve proper
operation of the WLAN components and security settings.

____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
S 3.59
Training factory safety personnel and gatekeepers
Due to the existence of wardriving attacks, the factory safety personnel and
the gatekeepers should also be sensitised to the risks. The factory safety
personnel should make sure that no strangers are lingering around the
company premises for a long time with a notebook and possibly even a
WLAN antenna. Security management must be informed whenever suspicious
persons are noticed.
The contents of the training program must always be adapted according to the
corresponding operational scenarios. Training programs using web-based,
interactive programs in the Intranet could also be used for this purpose. In
addition to receiving training on WLAN security mechanisms, the employees
should also be given a copy of the WLAN security policy of the organisation.
- Are the administrators prepared to handle the WLAN components, and in
particular, have they received training in aspects related to security?
- Are all users familiar with the contents of the WLAN security policy?
- Are the users familiar with the WLAN security mechanisms, and are these
mechanisms also being used?
- Have the gatekeepers and factory safety personnel been sensitised to
security issues?
Safeguard Catalogue Hardware/Software Comments
____________________________________________________________________
..........................................
S 4.293
S 4.293 Secure operation of hotspots
Initiation responsibility: Public agency/company management, Head of
IT
Implementation responsibility: Head of IT, IT Security Officer, Administrator
The purpose of a hotspot is generally to permit (unknown) users easy access to
the Internet. To be able to operate a hotspot securely over the long term,
successful authentication of all users is necessary on the hotspot. Commonly
used and (for the most part) secure methods include, for example:
- Web authentication
In this case, the user enters his access data (IP address, username,
password, etc.) over a web interface. The data should naturally be
transmitted in encrypted form using SSL/TLS. After successfully logging
in, access is enabled for the client.
- PPTP (Point to Point Tunnel Protocol)
PPTP is a typical tunnelling protocol for VPNs, i.e. a protocol which is
used to encrypt the data for transmission, send the data through the tunnel,
and administer the connection. RC4 with 40 or 128 bits is available as a
cryptographic method for PPTP for encryption, and PAP or CHAP are
available for selection for authentication purposes. Due to security
problems in the first version, only PPTPv2 should be used, together with an
encryption method permitting a sufficiently long key.
- IPSec
IPSec offers strong cryptographic methods and mutual authentication of
the communication partners. Authentication should be performed, of
course, using certificates. However, on one hand, certificates cannot be
used in all IPSec implementations, and on the other, the certificates need to
be suitably generated and distributed first (typical PKI problem).
- WLAN-specific security mechanisms such as WEP, IEEE 802.1X,
WPA, WPA2, TKIP, and IEEE 802.11i
All WLAN-specific security mechanisms are intended to secure the
transmission route and must be suitably combined. Due to the rapid
development in this area (see above), these methods are not suitable for use
in hotspots due to the widespread use of these methods and their security
deficiencies.
The following security safeguards should also be implemented when operating
a hotspot:
- Access points intended to be operated as hotspots may not be connected
directly to a LAN and must be connected over a security gateway instead.
- Communication between the WLAN clients, referred to as inter-client
communication, should be prevented completely.
- The wireless interface should be monitored by wireless analysis systems to
detect unknown access points and hotspots.
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
S 4.293
- The authentication data should always be transmitted in encrypted form
over the transmission route, i.e. between the WLAN client and access
point. For the further transmission of the data from a hotspot access point
to the authentication system (for example a RADIUS server), suitable
encryption methods such as SSL or IPSec are to be used, especially when
using public networks.
- If certificates are used for authentication, then the certificates should be
signed by a suitable certification instance. In addition, the fingerprint of the
server certificate should be published so that users can check their
authenticity.
- Every operator of a hotspot should offer at least one suitable method for
encryption of the data sent over the transmission route so that the users can
protect their data from unauthorised reading. Not all users, though, are very
interested in protecting their data and systems. Furthermore, the technical
requirements for the use of the encryption method offered may not be met.
For this reason, their use should remain optional. The users absolutely must
be informed, though, of the capabilities and the advantages of encrypting
their transmitted data.
- Many users want to access their own organisations network remotely over
a hotspot. To accomplish this, the users must be able to implement the
organisations security policies. For this reason, the technical design of the
hotspot should permit the use of typical security safeguards such as IPsec.
In addition, hotspot operators should check their logs regularly to see if any
irregular activities were recorded, for example if the number of users is greater
than the number of guests logged in.
Providers of public hotspots must also follow the corresponding legal and
regulatory specifications. In Germany, this includes following the
specifications from the Federal Network Agency for the provision of Internet
access.
The security policies to be observed by the hotspot users are described in
S 2.389 Secure use of hotspots.
- Are the conditions for the use of the hotspot clear to every user?
- Have adequate safeguards been taken to secure the transmission route?
____________________________________________________________________
..........................................
S 4.294
S 4.294 Secure configuration of access points
Under no circumstances may access points be used with the configuration set
to the factory default or with the same settings specified in the manuals of the
products for the SSIDs (Service Set Identifier), access passwords, or
cryptographic keys.
The following settings should be enabled and/or changed to customised,
secure values:
- To the greatest extent possible, administrative access to the access points
over the wireless interface should generally be deactivated.
- All administration passwords should be as complex as possible and should
be changed regularly.
- Insecure administration accesses (e.g. over Telnet, HTTP) should be
disabled whenever possible. Administrative access must always be
established over an encrypted connection (e.g. via SSL or SSH).
Deacti vation of insecure
administration accesses
- The default settings of SSIDs, cryptographic keys, and passwords must be
changed immediately after initial operation.
- The SSID should not provide any information on the owner of a WLAN or
its purpose. Likewise, the SSID should not be set to "Any" because
otherwise any WLAN component will be able to communicate in the
WLAN.
- The broadcast of the SSID should be deactivated so that the existence of
the WLAN cannot be detected unnecessarily. Furthermore, association
using SSID broadcasts should be deactivated so that the clients are required
to specify the desired SSID explicitly when associating.
- Suitable encryption mechanisms must be activated. At the same time, it
must be ensured that all components in the WLAN support the
mechanisms. It must be impossible to establish connections with WLAN
components that do not have any encryption mechanisms or only
inadequate encryption mechanisms.
- Cryptographic keys should be selected as randomly as possible and should
be changed regularly. A complex pre-shared key (PSK) should be used
when using WPA-PSK or WPA2-PSK. If cryptographic keys like the PSK
are generated using a password, then the password selected for this purpose
should be very complex and have at least 20 characters.
- To restrict the communication partners permitted to access an access point,
Access Control Lists (ACLs) should be used at the MAC address level.
This is particularly helpful for small to very small WLAN installations. In
general, though, this instrument alone cannot provide enough security,
especially in a WLAN (since the WLAN is easy to listen in on) since MAC
addresses are easy to change. ACLs in the WLAN can therefore only be
viewed as weak, additional safeguards whose use only makes sense in
special situations.
Access Control Lists
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
S 4.294
Since the additional security gained is limited, it must be examined for
large networks if the additional security is worth the administrative work
required.
- The DHCP (Dynamic Host Configuration Protocol) server in the access
point should be switched off (if there is one and if this is technically
possible), i.e. static IP addresses should be assigned and the size of the IP
address space available should be kept as small as possible. Otherwise the
DHCP server will automatically assign a valid IP address to the intruder.
- When using several access points, the frequency channels used by
neighbouring access points should be selected so that they do not overlap.
- Changes to the system configuration must be tested and documented.
- It must be checked regularly if all security-related updates and patches
have been installed. This must also be checked for the corresponding
device drivers for the WLAN hardware on the WLAN clients as well. A
new software version or a patch should only be installed in the WLAN
after appropriate testing. In actual operations, software updates have
resulted in making WLAN communication extremely limited or even
completely impossible.
Notification and information procedures should be specified in the change
management that describe who needs to be informed of such changes and
how they are to be informed. Likewise, the documentation of the WLAN
infrastructure must be changed accordingly.
- If WLAN components will not used for a longer period of time, then they
should be switched off. Access points should be deactivated automatically
outside of working hours (for example at night and on the weekends).
Support for and monitoring of these tasks can be achieved using a WLAN
management software package or by integration into a central network
management system.
- What routes are used to access the system for administrative purposes?
- How are changes to configurations tested and documented?
- Has it been ensured that patches and updates to close any security gaps
which become known will be installed quickly?
- Has it been ensured that WLAN components will actually be switched off
when they will not be used for a while?
____________________________________________________________________
..........................................
S 4.295
S 4.295 Secure configuration of WLAN clients
Implementation responsibility: Administrator, Users
In order to enable secure operation of a WLAN, all clients connected to the
network must be configured securely. Suitable IT security recommendations
for clients are described in the modules in Layer 3 IT systems. In addition, the
following WLAN-specific security safeguards should be taken:
- The default settings for SSIDs, cryptographic keys, and passwords must be
changed directly after initial operation. Passwords should be selected so
that they are difficult to guess.
- The ad-hoc mode should be disabled so that clients can only communicate
over an access point and not directly with each other.
- Data requiring protection on mobile end devices should be encrypted.
There are numerous hardware and software-based products for this purpose
which allow you to encrypt individual files, certain areas, or the entire hard
disk so that only those persons possessing proper access authorization are
able to decrypt the data.
- The WLAN interfaces of clients should be deactivated as a rule as long as
they are not actually in use. In particular, they should always be
deactivated when the clients are logged in to a cable-bound LAN. Access
from a client to the internal LAN over the usual internal connections
should only be possible when there is no other activity on the WLAN.
Otherwise, this provides an attacker with a chance to access any existing
(and authenticated) connections in the internal network over the WLAN
interface.
- When establishing VPN connections, various security precautions should
be taken on the client. For example, it should be impossible to use another
communication interface parallel to a VPN connection so that the security
of the VPN connection, which the user assumes to be secure, is not
undermined over an insecure channel. In addition, it is recommended not
only to require a certain minimum set of security safeguards to be
implemented on the clients, but to test them as well before granting access
over the VPN. To do this, it is recommended to use tools that check if the
security policies are being followed on the clients before the server permits
any further communication.
- It must be checked regularly if all security-related updates and patches
have been installed. It may be difficult to install a large software update on
the WLAN clients over the WLAN since the bandwidth available in the
WLAN is much lower than that available in a cable-based LAN. The
installation of updates will not only take much longer, but may also slow
down the WLAN so much that the users notice it because a WLAN is a
shared medium. If possible, a client should therefore be connected to a
cable-based LAN when installing large software updates. In addition, the
transmission of software updates over the wireless interface can be
assigned a lower priority provided that the longer installation times
resulting from this are practical.
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
S 4.295
In this manner, the other WLAN applications will not be significantly
hindered any more by the software update.
It should be checked regularly to ensure that security-related settings have not
been changed.
There must be clear rules specifying if, and if yes, under what general
conditions WLAN clients are permitted to log in to external networks (see
S 4.251 Working with external IT systems), especially when the clients have
access to the production environment or have confidential information stored
on them.
WLAN clients should never be operated in insecure environments such as, for
example, public hotspots or WLANs only secured using WEP. WLAN clients
which process data with a high protection requirement may only be used in
WLANs which are operated under the complete control of the organisation
and may only be operated when securely configured. Their use in other
WLANs is to be prohibited.
All users of WLAN components should be informed of the potential risks and
problems involved in their use as well as of their advantages, but also of the
limits of the security safeguards implemented. All users must be familiar with
the security policy for WLAN usage (see S 2.382 Drawing up a security
policy for the use of WLAN). No one who has not agreed in writing beforehand
to the conditions for use contained in the WLAN security policy should be
permitted access to an internal WLAN.
- Have the users been informed of which security aspects they need to
consider when using the WLAN?
- Has it been ensured that patches and updates to close any recently
discovered security gaps will be installed quickly?
- Will the WLAN interfaces on the clients be switched off when they are not
in use?
____________________________________________________________________
..........................................
S 4.296
S 4.296 Use of a suitable management solution for
WLAN
To guarantee optimal configurations from a security perspective on all WLAN
components, these components need to be administered carefully. Since
administration can be costly and complex in large WLANs, it makes sense in
this case to use WLAN system management tools. These tools should also be
capable of integration into any existing IT and network management tools, if
possible.
In general, it is recommended to implement a management solution that
enables online documentation in addition to the ability to monitor the WLAN.
Depending on the features, the solution should also offer the following
capabilities:
- Documentation of the firmware versions of the access points
- Documentation of the firmware versions and drivers of the WLAN
adapters of the WLAN clients
- Documentation of the security configurations
- Documentation of location-specific configurations
- Ability to administer the history of configuration changes
In order to provide the administrators with an overview of all stationary and
mobile systems and applications and to generate this overview as easily as
possible, the system management solution should be able to take stock of the
mobile end devices and their applications automatically. Each end device
should be integrated into the configuration and control process by the
management software as soon as it logs in to the network.
These functions are used according to the specifications in the instruction
manual.
The management system should also provide alarm and error handling. The
administrators should be able to perform the following tasks for this purpose:
- Assessment and evaluation of alarms, e.g. to detect an unusually high
number of failed attempts to obtain authentication on an access point
- Assessment of statistics for troubleshooting
- Triggering of safeguards when a security incident is suspected
- Adaptation of the threshold values triggering the alarms when the WLAN
usage changes
A suitable network management protocol should be selected as well, for
example SNMPv3 (see also S 2.144 Selection of a suitable network
management protocol).
The log data recorded should be evaluated regularly, but at least once per
month. The amount of information logged is to be co-ordinated by the
personnel representative and the Data Protection Officer.
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
S 4.296
The WLAN management software and the general network management
solution should provide filtering capabilities to improve the protocol data
evaluation capabilities.
- When was the last time the log data recorded was evaluated?
- Has an inventory of all WLAN components been taken?
____________________________________________________________________
..........................................
S 4.297
S 4.297 Secure operation of WLAN components
WLANs are attractive targets for attackers and therefore must be configured
very carefully in order to ensure secure operation. All WLAN components
must be configured so that they are protected against attacks to the best extent
possible. If a WLAN component is not correspondingly configured, then it
may not be activated and connected to the productive environment.
WLAN components needing to be secured include the access points, the
distribution system, the WLAN clients, the operating systems on which the
WLAN components are operated, and the protocols used, among others. The
following points in particular must be kept in mind:
- Employees must be assigned to be responsible for the administration of
each of the various WLAN components.
- After the installation and initial operation of WLAN components, all
necessary security mechanisms must be activated.
- The WLAN components may only be administered over a secure
connection, i.e. administration should be performed directly on the console
after executing a strong authentication procedure (for access from the
LAN) or over an encrypted connection (for access from the Internet).
- The rule "everything which is not expressly permitted is prohibited" must
apply in general. For example, users not entered in an access list must not
be permitted to access the WLAN. Access rights for directories and files
should be assigned as restrictively as possible.
- It must be ensured that the software used is always up-to-date and that any
security-related patches are installed immediately.
- Configuration changes should be logged by the system so that
manipulations can be detected and traced promptly. The log data must be
secured so that it is impossible to manipulate the log data.
- All security-related events must be logged. These events include, for
example, attempts to gain unauthorised access as well as data on the
network load and any network overloads. The log data recorded must be
evaluated regularly. The amount of data recorded in the log must be co-
ordinated by the personnel representative and the Data Protection Officer.
- The WLAN components must be integrated into the data backup policy.
When restoring backed up data resources, it must be ensured that the files
relevant for the secure operation of the WLAN such as access lists,
password files, and filter rule files are up to date.
If possible, a standard configuration should be developed for the WLAN
components used which reflects the specifications in the WLAN security
policy. This makes it easier to provide support for numerous devices and
change the configurations. At the same time, deviations from the intended
configuration can be identified faster.
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
S 4.297
It makes sense to use a WLAN management solution which ensures efficient
configuration of the access points. Access points and the active components of
the distribution system should still remain integrated into the network manage-
ment system, and monitoring must also still be possible. After all, it should
still be possible to check the availability of the authentication server through
the management system. It may be necessary to expand a network
management system already in use by adding a WLAN management module.
Connections of external access points or manipulations to the switches of the
distribution system should be detected by the WLAN management system.
The affected network port of the distribution switch should be blocked
immediately in such cases.
Likewise, the configurations of the access points and of the distribution
system should be checked regularly. To check the configuration, the system
configuration currently in use must be compared to a documented and
validated configuration. If any unconfirmed changes are found, then the
systems must be examined and possibly even switched off and checked for
evidence of an attack.
For the secure operation of WLAN components, both the basic configuration
specified on the basis of the WLAN security policy as well as all changes
made must be documented carefully so that they can be restored at any time.
In addition to the documentation of the security configuration, documentation
of the firmware versions of the access points and documentation of location-
specific configurations must also be available.
Additional controls
- Has it been ensured that the necessary security mechanisms are activated
on all WLAN components?
- How will it be ensured that the patch status of the operating systems and
programs used on the WLAN components will always be secure?
- How will the administrators or auditors access the security gateway and the
components?
- Has all relevant information on the WLAN components been taken into
account in the data backup procedure?
____________________________________________________________________
..........................................
S 4.298
S 4.298 Regular audits of WLAN components
All components of the WLAN infrastructure must be checked regularly to
ensure that all specified security safeguards have been implemented and these
components are configured correctly. These components include, in addition
to the access points, the components of the distribution system, the elements in
the security infrastructure (including the authentication server) and the
elements of the WLAN management system. Depending on the available
functionality, the WLAN management system should not only administer the
current configurations of the access points, but also the configurations of the
components of the distribution system, and should also provide administration
of the history of previous configurations (see S 4.296 Use of a suitable
management solution for WLAN). Likewise, central security systems such as
the authentication server or the link element on the transfer point between the
distribution system and the LAN should be subjected to regular security
checks.
Installations in areas accessible to the public in particular should be spot-
checked for attempts to open the housings by force or any other attempts at
manipulation (especially on access points). An indicator of a compromised
WLAN is, for example, the discovery of a hub connected between an access
point and the distribution switch. Such components, which are used for
diagnostic purposes, should only be accessible to authorized personnel and
must be removed immediately after the required measurements have been
taken.
Furthermore, the WLAN clients must be checked regularly. If there are a large
number of clients, then spot checks should be made at a minimum. When
checking, check the configuration of WLAN adapters and IEEE 802.1X
supplicant (or the VPN client if one is used in the WLAN) first. Depending on
the system, the patch level of the operating system, the up-to-dateness of the
drivers for the WLAN adapters of the clients, the basic rules used in the
personal firewalls, the up-to-dateness of the virus protection software used, as
well as the security settings of the applications used over the WLAN should
also be checked.
If any irregularities or vulnerabilities are found, then they must be
documented. In this case, it must also be documented how they will be
handled.
Regular audits of the WLAN security policy should also be performed in
addition to the regular audits of the individual WLAN components. In
particular, the safeguards implemented to secure the WLAN should be
checked to see if they correspond to the current state of the art in technology
and if the base protection level specified is still valid.
In addition, you should ask yourself occasionally if all users have been
informed of the necessary WLAN security safeguards and if they have
implemented these safeguards.

____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
S 4.298
- Are security audits performed regularly?
- How will any irregularities detected be documented and handled?
Safeguard Catalogue Communications Comments
____________________________________________________________________
..........................................
S 5.138
S 5.138 Usage of RADIUS servers
In large networks, authentication servers, for example RADIUS servers,
should be used. RADIUS (Remote Authentication Dial-In User Service) is a
client-server protocol used for the authentication, authorization, and
accounting (AAA system) of users to centrally secure connections. The
protocol is described in a series of RFCs, the most important of which is
RFC 2865.
An authentication server should guarantee that only authorised users are able
to access the internal network, and that this access can also be restricted to
certain end devices. During the process, identification must be provided first,
for example using an identifier, and then authentication is performed, for
example using a password. This data should be transmitted in encrypted form.
The EAP protocol (Extensible Authentication Protocol) is often used for this
purpose. Authentication is port-based in EAP and is based on the
IEEE 802.1X standard. This means that access to the network is only
permitted when the client has unequivocally provided identification on the
RADIUS server.
The authentication servers operated must be appropriately secured (see
S 4.250 Selection of a central, network based authentication service).
Sufficiently long and complex cryptographic keys are to be used for the
secrets shared between the RADIUS server and RADIUS clients. In this case,
a separate shared secret can be used for each RADIUS client-server
connection when the administrative capabilities permit this.
The components used for RADIUS should meet the requirements of the RFCs
for RADIUS to ensure the greatest possible interoperability between the
various components. It should be possible to store the authentication and
accounting protocols in a separate database system.
RADIUS communication should be restricted to ports 1812 and 1813.
Ports 1645 and 1646 should not be used if possible. Other ports are to be
closed if it is technically possible to close them. The RADIUS communication
from the server is to be restricted to the RADIUS clients known by and
authenticated on the server.
If a high level of protection is required for the confidentiality of the
authentication information, then it is recommended to use IPSec to secure the
RADIUS communication. You should not deactivate the methods for securing
communications available in RADIUS, though. Likewise, you should also
think about using a redundant RADIUS server in this case.
The rules specifying when a RADIUS server will respond to an authentication
request should be set as restrictively as possible. In this case, the rules should
specify the permissible dialup times, the MAC address of the RADIUS client
requesting a connection and its port type, the IP address of the RADIUS
client, and the EAP method to be used for authentication.

____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
S 5.138
- How will the authentication information be protected during transmission?
- How will attacks on the RADIUS server be prevented?
____________________________________________________________________
..........................................
S 5.139
S 5.139 Secure WLAN-LAN connection
A common goal when using WLAN components is to enable simple and
mobile connection to other networks. These networks may be other WLANs,
but could also be LANs existing inside the organisation. There are two main
security aspects in this case:
- Protection of the WLAN components used against misuse when connecting
to an external network
- Protection of the internal LANs against misuse from the outside.
When connecting a WLAN to a LAN, the transfer point between the WLAN
and LAN must be secured based on the highest protection requirement of the
two networks. The LAN generally has the higher protection requirement.
There are two main approaches to take when connecting a WLAN to a LAN:
- You can attempt to reach a security level in the WLAN matching the
security level within the existing, wire-bound LAN. To accomplish this,
though, the security mechanisms integrated into standard WLAN
components generally need to be extended, for example using stronger
cryptographic algorithms, and more work will be required to attain the
additional security.
- On the other hand, a more practical approach can be selected in which it is
assumed that the data transmitted on the transmission route as well as the
WLAN components themselves do not possess the same high level of
security as the LAN. For this reason, accesses from the WLAN should be
handled like Internet accesses in this case and therefore should only be
permitted through a security gateway. This is the recommended procedure.
The higher the level of security available on the wireless interface and the
active components of the distribution system, the less complicated the
safeguards on the connection point to the LAN need to be. In any case,
though, it must be possible to completely block WLAN communication to the
internal LAN on the connection point as soon as an attack on the WLAN is
detected.
The switching element between the distribution system of the WLAN and the
LAN must be a Layer 3 router at a minimum to obtain effective separation of
the broadcast domains. The use of more advanced mechanisms, such as using
a dynamic packet filter instead of a router, must be decided upon based on the
operational environment and according to the protection requirement.
If higher protection is required, then the security of the authentication
procedure should be improved, for example through the use of EAP-TLS, so
that mutual, strong authentication can be implemented between the WLAN
clients and an authentication server in the LAN.
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
S 5.139
- Is the LAN protected from the WLAN by an additional security gateway?
- Is access from the WLAN to the LAN necessary and desired? Has this
decision been documented?
____________________________________________________________________
..........................................
S 5.140
S 5.140 Setting up a distribution system
A distribution system is a network that connects the access points to each
other and to the rest of the infrastructure, for example to a cable-bound
network. In general, there are two different types of distribution systems:
- Cable-bound distribution systems
All access points are connected by cables to each other and to the rest of
the infrastructure.
- Wireless distribution systems
A direct cable connection between the access points is not necessary any
more in this case. The access points only need to be supplied with power.
In both cases, communication between the access points should be encrypted
to guarantee the confidentiality of the data transmitted. An IPSec VPN tunnel
can be used, for example, in a cable-bound distribution system, while CCMP
can be used additionally for a wireless distribution system based on
IEEE 802.11i. For wireless distribution systems, the availability is essential as
well as the protection of the confidentiality and integrity, and safeguards
should be taken to prevent any eventual denial-of-service attacks, etc. Through
the use of wireless intrusion detection systems and regular security checks,
vulnerabilities can be found promptly, and the corresponding countermeasures
can be taken.
When building a distribution system, a basic decision must be made as to
whether or not to build or connect a separate infrastructure for security
reasons, i.e. whether or not the internal LANs should be physically segmented
from the infrastructure. Alternatively, it can be examined if logical
segmentation using VLANs suffices.
If a separate physical infrastructure is set up for the distribution system, then
the size of the coverage area plays an essential role. As a rule, several access
points are concatenated using Layer 2 or Layer 3 switches, in which case
scaling is commonly based on 12, 24, or 48 ports per switch. For example, if
100 access points need to be connected to form a distribution system, then
three to ten switches are necessary. Direct connection of the access points to
switches in the central server room is generally not possible, which is why the
switches must be distributed over the entire area to be equipped with WLAN.
In this case, it must be ensured that the switches are adequately protected
against external access and that there are enough redundant switches to
maintain the required availability of the distribution system. However, large
investments and additional security safeguards are necessary to build a
separate physical infrastructure.
Physical distribution
system
When logical segmentation is used, virtual LANs (VLANs) are formed to
control the flow of data through the access switches of the cable-based LAN.
If the WLAN clients are to be segmented within the distribution system, then
each of the WLAN clients must be assigned to a VLAN in the access point as
well.
Logical distribution
system
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
S 5.140
The configuration of a logical distribution system in an existing LAN
infrastructure is not entirely without problems in operational terms, and
therefore in terms of availability, and requires extremely well-trained
administrators. If the availability requirement is normal for the entire LAN
and WLAN infrastructure, then configuration of VLANs is a plausible
approach. However, when higher availability is required, then it is not
recommended to use VLANs to set up a distribution system.
- Will a cable-bound or wireless distribution system be built? Was the
decision documented and saved?
- Will the segmentation be physical or logical? Was this decision
documented and saved as well?
____________________________________________________________________
..........................................
S 5.141
S 5.141 Regular security checks of WLANs
A WLAN security check should be performed regularly, but at least once per
month.
WLANs should be checked regularly with WLAN analysers and network
sniffers to see if there are any security gaps such as weak passwords,
inadequate encryption, or an enabled SSID broadcast. However, the check
should also look for WLANs installed without authorisation.
Network analysis programs
Specific tools for monitoring and analysing the quality of service and level of
security are helpful not only in WLANs, but also in other networks. For secure
operation of a WLAN, it is especially important to check the extent to which
the prescribed security policies are being followed and the overall availability
of the WLAN. When taking measurements to determine the availability, other
measurements such as performance measurements and error analyses should
be performed as well. Tools which provide a list of all active WLAN
subscribers and of any subscribers recognized recently are also helpful.
Network analysis or sniffer programs read data streams and examine the data
packets transmitted for different, variable criteria. For example, such a
program can search for certain patterns in the data packets or evaluate routing
information.
Network analysis tools should be used regularly to
- look for unauthorized WLANs on the property of the organisation,
- check regularly if all necessary security mechanisms have been activated,
and
- detect dead zones and evaluate the signal quality of wireless networks.
Monitoring the WLAN infrastructure
The simplest way to monitor the WLAN infrastructure is to perform a spot
check of a location using a WLAN client equipped with special software. The
area covered is then checked by walking around the area. Access points
installed and operated without authorisation can be detected in this manner.
Better control can be obtained using a WLAN management system. Such a
system can be used to regularly perform the following tasks:
- Detection of external devices, especially of external access points
- Performance of wireless site surveys, i.e. surveys to obtain information on
the coverage, data rates, bandwidth, QoS, etc., of a WLAN
- Recording login times
- Monitoring the configuration of WLAN network elements
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
S 5.141
Use of a wireless intrusion detection system
When planning an access point-based wireless intrusion detection system
(IDS), it must first be specified if a separate measurement infrastructure will
be built or if the access points and WLAN clients in the live network will be
switched at certain intervals into a measurement mode. If it is impossible to
take measurements everywhere in the coverage area to be monitored, then
attacks in the WLAN at the wireless level cannot be detected. Furthermore, it
must be taken into account that an access point or WLAN client cannot
transmit data when in the measurement mode, and therefore a reduction in the
performance, and possibly of the availability, of WLAN data transmissions
may need to be accepted. Likewise, a small window of vulnerability always
remains open when using the access points belonging to the live network in
the scan mode, and it is impossible to monitor the wireless interface when
scanning.
Whenever an intrusion detection system or even an intrusion prevention
system (IPS) is used, the normal communication patterns in the WLAN must
be determined or defined based on measurements (see also S 5.71 Intrusion
detection and intrusion response systems).
Alarm and error handling
The WLAN administration should provide alarm and error handling
procedures. The following tasks are to be performed by the administrators in
this regard:
- Assessment and evaluation of alarms, for example when a high number of
unsuccessful attempts to provide authentication on an access point is
detected
- Assessment of statistics for troubleshooting
- Triggering of safeguards when a security incident is suspected
- Ability to change the threshold values triggering the alarms when the
WLAN usage changes
Penetration test
In the course of a security check, a WLAN can also be examined for
vulnerabilities with the help of penetration tests. In this case, all security
safeguards taken must be tested exactly to determine if they are able to defend
against the attacks they are supposed to counteract. A penetration test should
be conducted at least every six months, but no less than once per year.
Documentation
When conducting the security check, the administrators should document all
steps taken so that they can be retaken at a later date (for example when it is
suspected that a system has been compromised). The results of the security
check must be documented, and deviations from the intended state must be
examined.
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
S 5.141
- Have the administrators been instructed in the alarm and error handling
procedures to follow in case of an attack on the WLAN?
- Is the fact that a WLAN security check was performed documented
together with the results?
Safeguard Catalogue Contingency planning Comments
____________________________________________________________________
..........................................
S 6.75
S 6.75 Redundant communication links
Initiation responsibility: Head of IT, IT Security Management Team
Depending on the availability requirements, the failure of a communication
link or the inability to establish the link can severely impair operations. This
applies both to telephone connections as well as to LAN and WAN
connections. The sources of error can vary so greatly in this case that it is
often very difficult to determine the exact cause of the problem.
Since typical working environments are becoming more and more heavily
networked these days, failures of communications links can mean that
important data and information cannot be exchanged. Under certain
circumstances, this can lead to interruptions in workflows until the connection
has been restored or alternative solutions have been found.
It therefore makes sense to hold alternative solutions available in reserve for
the various communication links (depending on their protection requirement).
Examples:
- The availability of the telephone connection of a control centre should be
guaranteed not only over the land-based network, but also over a mobile
phone.
- A second Internet provider should be used in addition to the normal
Internet provider to guarantee that the e-mail server is able to connect to
the outside world.
- In addition to the e-mail connection or a fax server, there should also be a
fax machine available in case the network connection or server goes down.
It is not always necessary in this case to have another connection with the
same bandwidth and the same quality requirements in reserve. In many cases,
it will be sufficient to enable limited IT operations to be maintained in an
emergency (see also module B 1.3 Contingency Planning).
- Are there any alternative solutions available for important communication
links?
- Are the alternative solutions regularly adapted to reflect new developments
in technology?
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
S 6.102
S 6.102 Procedures in the event of WLAN security
incidents
Implementation responsibility: Administrator, Users
If the WLAN does not respond in the intended manner (e.g. the WLAN is
unavailable for a long period of time, access to network resources is
impossible, or the network performance is reduced for a long period of time),
then the cause may be a security incident. This can be brought about by an
attacker, faulty configurations, or system errors.
In this case, users should note the following points:
- You should save the results of your work, terminate the WLAN
connection, and deactivate the WLAN interface on your client.
What should the users
do?
- If error messages appear or the client does not respond normally, then the
users should document the response as precisely as possible. Likewise, the
user should also document what he or she was doing before and during the
security incident. This allows the administrators to quickly limit the
number of possible reasons for the incident and promptly initiate
countermeasures.
- The administrators must be informed by the users using a suitable
escalation level (e.g. user help desk). It must be ensured in this case that
the ability of the administrators to do their work is not significantly
impaired by the notification process.
The administrators should initiate appropriate countermeasures when a
security incident occurs. Examples of possible actions include:
Countermeasures
initiated by the
administrators
- Switching off access points
- Blocking communication on the connection point between the distribution
system and the LAN / Internet
- Shutting down the servers (web servers, control servers in the production
environment, or similar servers)
- Deactivating the WLAN interface of the WLAN client
- Checking the configurations of the access points
- Saving all files that could provide clues as to the type and cause of the
problems encountered (for example, if there really was an attack and how
the attacker was able to penetrate the system). In particular, this means
saving all relevant log files.
- Restoring the original configuration data if necessary (see S 6.52 Regular
backup of configuration data of active network components)
- Notifying the users with a request to check for anything unusual at their
workspaces.
If an access point has been stolen, then specific security safeguards must be
taken, for example:

____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
____________________________________________________________________
..........................................
S 6.102
- Changing all cryptographic keys used, meaning the PSKs when using
WPA-PSK or WPA2-PSK, for example
- Changing the configuration on the RADIUS servers to exclude the stolen
access point (IP, name, RADIUS client, shared secret, IPSec)
The possible consequences of events critical to security must be examined.
Finally, all safeguards necessary to make it impossible to use stolen devices to
gain access to the network of the organisation must be implemented. If a
WLAN client is stolen, then the client certificates must also be blocked if a
certificate-based authentication method is used.
- Is it guaranteed that an administrator will be notified effectively?
- Are the users and administrators aware of all necessary procedures to
follow in case of a WLAN security incident?
- Have the possible consequences of events critical to security been
analysed?

Wireless LAN

Enviado por

Dados do documento

Descrição original:

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Wireless LAN

Enviado por

Direitos autorais:

Formatos disponíveis

Layer Network

Você também pode gostar