WLAN security: Best practices for wireless network

security
searchsecurity.techtarget.com /WLAN-security-Best-practices-for-wireless-network-security

First-generation wireless networking placed you between a rock and a hard place. Should you cave in and
deploy a WLAN, despite well-documented protocol vulnerabilities and rampant threats? Or should you try to ban
wireless, despite its business advantages and the unnerving suspicion that rogue access points (APs) will crop
up anyway?

It's no longer a no-win, either/or choice. Recent improvements in wireless protocols and infrastructure
technologies make "WLAN security" a realistic goal, not a laughable oxymoron.

"We've been forced to take [wireless] security more seriously than a lot of campuses have," says Col. Donald
Welch, associate dean for information and education technology at the U.S. Military Academy at West Point. The
academy recently installed a WLAN security suite and plans to offer campus-wide wireless connectivity by fall.

As West Point and thousands of other organizations are now discovering, WLANs can be made secure if you're
smart about how you integrate wireless with your wired enterprise, leverage your existing security tools and
select the right security technologies--from basic 802.11 security to VPNs to solutions based on the new
generation of wireless authentication/encryption protocols. As with any technology, the trick then is to monitor
your network's health to keep it safe.

Threats and vulnerabilties

The perils awaiting unprotected WLANs are many. Wireless traffic is easily recorded. Passive eavesdroppers can
gather proprietary information, logins, passwords, intranet server addresses, and valid network and station
addresses. Intruders can steal Internet bandwidth, transmit spam, or use your network as a springboard to attack
others. They can capture and modify traffic to masquerade as you, with financial or legal consequences. Even a
low-tech attacker can disrupt your business by launching wireless packet floods against your APs, nearby
servers, next-hop wired network or Internet uplink.

Fortunately, these risks are not yet heavily exploited. Jupiter Media Research recently reported that 26 percent of
surveyed businesses had experienced at least one type of WLAN attack in the past year. However, most of these
incidents were problems waiting to happen: rogue APs, stations associating with the wrong AP and war driving.
Serious security breaches--like wired network intrusion, theft of confidential data and forgery--were far less
common, according to the survey.

In short, early adopters have been lucky. The cost of downtime and cleanup can be an order of magnitude
greater than the cost of prevention. Now is the time to start playing catch-up with WLAN security.

Steps to securing wireless networks

If you don't know what you're defending and why, your security measures are just shots in the dark. It's critical to
identify business assets that must be protected and the impact of damage, theft or loss.

For wireless network security, as with dial-up and DSL, your policy management should define access
requirements. Who needs access to what and when? If your company already has a remote access policy for
travelers and telecommuters, expand it to incorporate wireless. If you have no such policy, create one.
Remember to include scenarios that are unique to wireless, like employees at public hot spots (see "Hot Spots
Give Security Managers the Chills") or office visitors.

Consider how wireless changes the rules for office visitors. Few companies offer Ethernet access to visiting
customers or business partners. Jacks in public areas are typically disabled or latched to known addresses. But
wireless laptops and mobile devices can easily associate with nearby APs or other wireless stations. This is both
a threat and an opportunity. Security policies should define rules for "walled garden" guest access. For example,
you may prohibit peer-to-peer networking while permitting logged guest sessions through specific APs with
limited destinations, protocols, duration and bandwidth. If guest access is banned, your policy must state this so
that steps can be taken to prevent visitor intrusion.

Once assets have been identified, enumerate threats and quantify risks. Security is always a balancing act,
weighing risk against cost. After this foundation has been established, you can begin to consider WLAN
implementation alternatives.

Taking stock

Before you plot out access point deployment, conduct a site survey using a WLAN discovery tool such as
NetStumbler. What you learn might surprise you. According to a recent Gartner report, at least one in five
companies find APs deployed without IT department permission. Commodity pricing, retail distribution and setup
wizards have made it trivial for employees to install rogue APs, which can expose corporate assets to outsiders
and interfere with WLAN performance. Find and eliminate rogue APs from the start--or safely incorporate them
into your wireless network design.

Site surveys also turn up unauthorized workstations. Create an inventory of laptops and mobile devices with
wireless adapters, documenting user, MAC address and operating system. This will be used to implement WLAN
access controls. And you'll find an up-to-date list is essential when WLAN adapters are lost or stolen.

You may find nearby APs and stations that don't belong to you. Survey public areas (parking lots, hallways,
lobbies) just beyond the physical boundaries of your facility, including upstairs and downstairs. Neighboring MAC
addresses should be recorded, along with network name (SSID) and channel. This list will be used to avoid
cross-channel interference and eliminate false-positive intrusion alerts.

Consider getting APs with high-grade antennas that produce strong yet tight signals. These provide focused
connectivity for your users. At the same time, their narrow focus means the signals are less likely to spill out into
the street, where a war driver can capture and exploit it.

WLAN meets LAN

Consider how new WLAN segments will be integrated with and reuse components of your wired infrastructure.
Your network topology, device placement and current security measures all have direct impact on wireless LAN
security.

Restrict AP placement in your network topology. Wireless applications require protected access to the intranet
and/or Internet, affecting routers, firewall rules and VPN policies. Wireless APs are untrusted entities and should
always sit outside the firewall or within a DMZ--never inside the firewall.

Think in terms of a three-interface firewall--intranet on the inside, APs (and other public servers) on the DMZ, and
Internet on the outside interface. Circumstances dictate whether your APs should sit on the DMZ or outside.

A DMZ can protect the WLAN from Internet threats while protecting the wired intranet from WLAN threats.
However, for example, if your firewall doesn't let VPN tunnels originate in the DMZ, you may need to place your
AP on the outside interface instead.

AP security capabilities vary greatly. Entry-level APs are essentially "dumb" hubs, bridging wireless and wired
segments. Enterprise-grade APs, such as Cisco Systems' Aironet 1200 series and Proxim's ORiNOCO AP-2000
are like managed switches, offering security features like 802.1X port access control (more on this a bit later). A
few "smart" APs, such as Colubris' CN1000 and Madge's Smart Wireless Access Point serve as VPN gateways.

Accordingly, your choice of AP will impact your WLAN topology (see "Alternative WLAN Network Topologies,"
below):

Firewalls can provide both access control and VPN termination. If existing firewalls have spare capacity,
they may be leveraged to secure your new WLAN.
 However, WLANs require more bandwidth per user than v.90 or even residential broadband. Smart APs
can offload VPN processing, placing fewer demands on the firewall.
Another option is to concentrate access at a new type device: a gateway tailored for wireless LANs.
Wireless stations usually have DHCP addresses, so packet inspection needs to occur at both MAC
address and user levels. WLAN gateways, such as those from Bluesocket, Vernier and ReefEdge, enforce
scalable policies based on groups of users/stations rather than source IP. They may also provide SSL
portals for visitor login or VPN tunnel persistence when stations roam from one AP to another. Specialized
WLAN gateways complement, but don't replace, general-purpose Internet firewalls.

After entering the wired network, wireless traffic should be segregated so that different policies can be applied.
Intranet servers, edge routers and bandwidth managers can be updated to filter on subnet(s) assigned to your
WLAN. Even when addresses are hidden behind Network Address Translation (NAT), Virtual LAN (VLAN) tags
can be used to avoid broadcasting wireless traffic throughout your Intranet.

Leverage existing security. In addition to firewalls and VPNs, the WLAN will be required to fit within your existing
security infrastructure. Consider these points in making it all work together:

Access control lists on intranet servers and routers can block connections from the WLAN--or may need to
be extended to allow the WLAN connections.
DHCP servers can be reused to supply WLAN addresses. Since WLANs aren't inherently trustworthy,
reservations can bind IPs to known MAC addresses. This isn't foolproof or highly scalable, so be selective.
For example, reserve AP and server addresses.
Creating a new user list for your WLAN--even a small one--introduces yet another database to maintain.
Seek solutions that leverage existing user/device credentials and authentication databases. Make sure
your WLAN authentication scheme doesn't put existing authentication credentials at risk.
Wireless adapters create new avenues of attack. Reuse desktop security measures like personal firewalls,
AV scanners and file encryption to harden stations. Mobile devices may require different software but
shouldn't be overlooked.

Integrate wireless networks and devices with existing management infrastructure. Determine if APs, stations and
WLAN software should be inventoried, configured and monitored by solutions already in place and if new
wireless management tools feed your existing supervisory systems.

Enterprise-grade APs and wireless gateways can often be remotely provisioned by SNMP network managers.
Some AP vendors such as Cisco, Proxim and Symbol supply wireless network managers or network
management system plug-ins. Third-party wireless policy management systems are starting to emerge (more on
these later).

Wireless APs and gateways may generate SNMP traps or send Syslog messages, feeding log servers and
analysis tools that already monitor wired networks. But WLANs have their own reporting needs, too. Enterprises
may need to audit user activity; hot spot providers must record sessions to feed billing systems and generate
revenue.

RADIUS access requests sent by 802.1X, VPNs and SSL portals can help. Devices sold to the ISP market are
more likely to generate RADIUS accounting records.

802.11 security: Just the basics

You have an increasing choice of options for authentication and encryption, from several emerging technologies
to VPNs. Depending on the size of your enterprise and the level of risk WLAN opens up, you may want to start
with the security 802.11 offers out of the box.

Basic 802.11 security deters accidental association or casual eavesdropping. In most WLAN products, however,
these security features are disabled by default. Disabled means the WLAN operates in "open system" mode--any
station can join because they know the network's Service Set Identifier (SSID) or by capturing beacon frames
broadcast by APs.
The 802.11 standard's security is composed of authentication and encryption. When shared-key authentication is
enabled, stations can associate with the AP only if they have a 40- or 128-bit key known to both parties. When
Wired Equivalent Privacy (WEP) is enabled, the same key is fed into the RC4 cipher to encrypt data frames. Only
stations that possess the shared key can join the WLAN, but the same key decrypts frames transmitted by other
stations. If your policy requires authentication of individual stations, or confidentiality beyond the air link, you
must adopt other measures.

Configuring a hard-to-guess SSID makes neighbors less likely to mistake your WLAN for their own. Stations
running Windows XP automatically join any discovered network by default. Enabling shared-key authentication
prevents this. Using WEP is like locking your office desk. Motivated intruders can jimmy a low-grade lock. Given
enough data, a persistent attacker can use freeware tools to crack WEP. Nevertheless, these can be your first
line of defense. Small business and home networks should always use them; enterprises may opt for higher-level
measures. The 802.1X standard addresses the need for more robust authentication, and the 802.11i standard's
Temporal Key Integrity Protocol (TKIP) provides for more robust encryption.

802.1X

Many APs can be configured with a list of MAC addresses to allow or block. But MAC addresses can be forged.
To address this, IEEE 802.1X provides a standard, multivendor framework for combining port-level access
control with some type of authentication.

EAP is an envelope that supports many different kinds of authentication. Deploying 802.1X requires adopting one
or more EAP methods:

Cisco's Lightweight EAP (LEAP) uses mutual password authentication between the station and AP.
Because LEAP's challenge/response isn't encrypted, it's vulnerable to offline dictionary attacks.
EAP-TLS requires mutual certificate authentication between stations and servers. EAP is protected from
eavesdropping by a TLS tunnel. The price paid for tighter security is a certificate on every station.
 EAP-TTLS and Protected EAP (PEAP) authenticate servers by certificate and stations by passwords,
made safe by tunneling over TLS. Logins known to your RADIUS server, Active Directory or domain
controller can be reused by 802.1X to simplify WLAN deployment.

Microsoft shipped 802.1X/EAP-TLS in Windows XP, added it to Windows 2000, and makes client software
available to supported Windows NT/ME/98 customers. Enterprises that only need Win32 and already use client
certificates should seriously consider 802.1X/EAP-TLS. An Open1x 802.1X/EAP-TLS supplicant runs on Linux
and Free/OpenBSD.

RADIUS vendors Funk Software and Meetinghouse supply EAP-TTLS supplicants. Microsoft recently added
PEAP to Win32 802.1X supplicants. Neither method is standard, which raises concerns about interoperability and
stability.

Moreover, EAP-TTLS and PEAP aren't foolproof. They can be tricked into sending identity or credentials without
the protection of the TLS tunnel. A man-in-the-middle attack can intercept and use these values to access your
WLAN.

Wi-Fi protected access

Wi-Fi is the brand given to 802.11 products certified by the Wi-Fi Alliance, a consortium organized to promote
802.11 products and interoperability among them. Wi-Fi Protected Access (WPA) is a security enhancement for
current-generation WLAN hardware. WPA incorporates just the stable parts of the 802.11i advanced security
standard, which is still a work in progress. WPA products can interoperate with the older WEP products.

WPA defines TKIP, which derives keys by mixing a base key with the transmitter's MAC address. An initialization
vector is mixed with that key to generate per-packet keys. This stops WEP-crackers from comparing frames
encrypted with the same key. WPA also includes a Message Integrity Check (MIC) to prevent data forgery.

Enterprises should use WPA with 802.1X for key delivery and refresh. Organizations using WEP should apply
certified WPA firmware as soon as upgrades become available. The final 802.11i standard will add AES for more
robust security using next-generation hardware, but that will be a forklift rather than firmware upgrade.

Security for VPNs

If your company already has a remote access VPN, consider using it for WLAN security. Reuse makes the most
sense when security policy is consistent for WAN and LAN access--the same credentials can be used for
authentication; the same encryption algorithms can be used for confidentiality.

However, WLANs present their own set of VPN issues:

There is more data to encrypt on a high-speed WLAN. Additional gateways may be needed to support
wireless encryption, particularly when using 802.11a/g at link speeds up to 54 Mbps.
Tunnels are bound to IP addresses. WLAN stations roam between APs, changing IP address. Broken
tunnels can be reestablished, but service disruption is often noticeable. In smaller WLANs, several APs
can share the same DHCP scope. VLANs can help, up to a point. In larger WLANs, wireless gateways can
provide tunnel persistence when stations roam.
Client deployment can be costly and difficult to mandate. Reusing deployed clients is one thing, adding
new clients and policies quite another.

VPN tunnels, WEP/TKIP and 802.1X address different problems. Consider a business partner using a guest
WLAN. A tunnel controls access to the visitor's own network; 802.1X controls access to the guest WLAN. A
tunnel prevents eavesdropping from end to end; WEP/TKIP prevents eavesdropping on the air link only.

Travelers using guest WLANs and hot spots should use VPNs to protect themselves, no matter what local
measures are employed by the visited network.

Portals and 'mobile VPNs'

Portals frequently control access to public hot spots and guest networks (wired or wireless). Outbound HTTP
requests are redirected to a login page, where the user authenticates via SSL before access is granted to the
network.

SSL portals are great for heterogeneous WLANs in which client software (VPN, 802.1X, TKIP) can't be dictated.
Login can be accomplished with any browser, without preconfigured credentials or keys. But portals don't encrypt
data; they only provide secure authentication.

Enterprise networks may combine portal login with WEP/TKIP. Like 802.1X, portals let stations authenticate
securely with legacy credentials and existing user databases. Unlike 802.1X, portals make users launch a
browser to conduct authentication and don't deliver keys. 802.1X is more transparent, but requires configured
supplicant software. Your choice will depend on what you already have, what you must add, and how you will
maintain it.

Another option, "mobile VPNs," are gaining popularity because they are clientless, using standard browsers.
These protect more than the login--they proxy data over a SSL/TLS tunnel. Mobile VPN products from vendors
such as NetMotion and Columbitech are tuned for wireless, including optimization for low-speed cellular,
WAN/LAN roaming and session persistence during brief network interruptions.

On the other hand, the mobile VPN servers can be vulnerable to denial-of-service attacks, and software installed
on general-purpose computing platforms raise hardening and scalability issues. Nonetheless, if you don't have a
remote access VPN, consider mobile VPNs as a wireless security alternative.

Use your security policy to choose the most appropriate solution. When policy requires secure WLAN access to
an entire network, some kind of tunneling is indicated. When policy requires secure WLAN access to the user's
own desktop, screen sharing (e.g., GoToMyPC, pcAnywhere, VNC over SSH) is a better fit. When policy requires
secure WLAN access to just one or two applications, secure application protocols (secure e-mail, secure file
transfer, SSL-protected Web GUIs) may be sufficient.

Keeping your WLAN safe

Like any other network segment, WLANs require configuration and monitoring. You can reuse existing
infrastructure, and you certainly want WLAN management to fit within your overall network management scheme.
However, you'll still need some specialized tools to maintain wireless security (see "Sniffing the Air for Trouble").

WLAN discovery and vulnerability assessment: War drivers try to find unprotected APs, but IT staff can use some
of their tools for WLAN discovery, penetration testing and vulnerability assessment.

Discovery tools should be used during site surveys and periodically thereafter to detect rogue APs and
unauthorized peer-to-peer connections.

Penetration test and vulnerability assessment tools such as AirMagnet's Handheld Analyzer and Internet Security
Systems' Wireless Scanner should also be used on a regular basis. WLAN traffic can be captured and analyzed
for suspicious behavior. For example, excessive deassociate (disconnect) frames, repeated EAP handshaking or
WEP errors suggest attack. Stations or APs in open-system mode or without WEP can be flagged as policy
violations. Pen testers can probe APs and gateways to see whether Telnet, SNMP or other ports are open to
WLAN attack. Tools can also create baseline reports against which to compare future results, so that changes
can be investigated and new problems remedied.

WLAN intrusion detection: In large enterprises, some type of distributed monitoring with central collection and
analysis may be necessary.

Network IDS (NIDS) provides centralized 24/7 real-time analysis in wired networks. NIDS can be leveraged to
catch wired network intrusions originating from the WLAN.

However, attacks on the WLAN itself require a different solution. For example, AirDefense sensors with 802.11
interfaces capture WLAN traffic and perform data reduction. Its IDS engine uses protocol inspection, signatures,
anomaly detection and policy enforcement to generate intrusion alerts. The StillSecure Border Guard from Latis
Networks provides both intrusion detection and content filtering at the WLAN gateway.

Policy management: Enforcing wireless network security policies, responding to frequent changes, and updating
distant devices is a challenge. As 802.11 matures, enterprise WLANs will grow larger, creating a new market for
wireless management systems. As previously noted, some AP and gateway vendors provide products to manage
their own offerings. To appreciate what third-party management systems will offer, let's examine a few early
entrants:

AirWave's Management Platform automatically configures detected APs with network policies. Group
policy changes and firmware updates can be pushed from a central point, and APs can be audited for
compliance.
WLAN traffic is continuously analyzed to identify and escalate performance problems in accordance with
policy. Cirond's WLAN Manager provides proprietary WEP key distribution, location-based access control,
a provisioning system for guest access and real-time location maps for active APs and stations.
Wavelink's Mobile Manager creates and distributes WEP keys and very large enterprise-scale AP access
control lists to stations and APs. Security parameters and access rules are configured on a central policy
management system and pushed to devices, supported by mobile device agents and client software.

So, don't ban the WLAN

Despite all the dire warnings about wireless security, there are a lot of unprotected WLANs out in the world, ripe
for picking. Sampling metropolitan areas on white hat war drives reveals unprotected WLANs in police stations,
doctor's offices, law offices, retail stores, municipal buildings and hundreds of businesses.

But your WLAN can be secure. The trick to is to apply the security measures discussed here judiciously, following
careful analysis of business needs and risks. Deploying any type of network securely is always a balancing act,
establishing a happy medium between security for security's sake and pragmatic protection of mission-critical
assets. WLANs are no different.

About the author:

Lisa Phifer is VP at Core Competence, a consulting firm specializing in network security and management
technology.