Locking down the airwaves

Defending your wireless LAN may seem an impossible task, says Dave Piscitello, but you can do it more easily than you may think

Wireless LANs are a blessing and a curse. They offer tremendous relief to large organizations whose employees need greater flexibility and mobility. But a wireless access point is also a radio station broadcasting your company's private information.

The good news is that you can greatly reduce the security risks of wireless LAN segments, using the tools you already have and techniques you've applied before.

The seemingly new problem of securing wireless LANs has an old solution: defense in depth. When you consider how to reduce the risks of incorporating WLANs into your trusted networks, begin by examining the many measures your organization already implements to protect wired LANs. Once you have done this, then consider how to apply these to wireless LANs.

Because wireless LANs introduce a new avenue to your intranet, you should conduct a thorough risk analysis before you permit wireless access to your trusted networks. Risk analysis identifies your organization's assets and value, and the kinds of attacks that threaten these important assets.

Ultimately, you'll find that protecting your network, wireless or wired, requires multiple layers of security. Particularly with WLANs, you will often find it appropriate to employ several countermeasures to each threat you identify. A multi-layered approach throws multiple barriers against intruders that, hopefully, keeps them at bay and gives you the time and information you need to hunt them down and later prosecute them.

Piling on the layers one by one

When implementing layered security on your network, consider working from the bottom layer up. I start with the physical (layer 1), move on to data link (layer 2) issues such as MAC addressing; and so on, working up in some cases to the applications themselves. This is as good a model as any for making sure you don't overlook some aspect of your network's security, and for laying a solid foundation for each successive layer's security. Here are examples of steps for securing WLANs at each layer.

WLANs use radio transmission, and hackers using strong antennae can pick up any signal that goes beyond your walls. Perform site surveys to determine the most appropriate placement of intra and inter-building antennae and WLAN access points (APs). Where you point your antenna and how you adjust power of radio transmissions can reduce your risk exposure. After you deploy APs, and before you connect your WLAN to your intranet, evaluate the extent of your radio transmission and coverage.

Perform a focused WLAN security audit using discovery and traffic analysis products (whether shareware or commercial) that help you discover WLAN activity within your area. This step uncovers any unauthorized and neighboring APs within the area.

For layer 2 and up, you can tighten your infrastructure and strengthen the security of many of your devices simply by paying strict attention to how you configure them.

Connect access points to wired Ethernet switches rather than hubs, to minimize the broadcast traffic that might emanate from the wired LANs systems out to the WLAN clients. The default behavior of many switches is to flood broadcasts out of every port, so remember to configure your switch to restrict such traffic to the bare necessities.

When you purchase wireless APs or WLAN switches, select models that can inventory wireless LAN MAC addresses. Several APs can block MAC addresses by consulting a local access control list or by consulting a RADIUS server that you configure with your MAC address inventory. Such efforts help you deny access to lost or stolen network interface cards, and block access from unknown MAC addresses. With certain WLAN equipment, you can apply this technique to IP addresses, too; just as your APs should not accept traffic from any MAC, they should not accept traffic from any IP not on your network.

Identify your WLANs with unique service set identifiers (SSIDs, the network name of your WLAN). Never use factory-default or blank SSIDs, and do not allow clients to simply listen for any SSID (or they may be misled into connecting to an attacker's system). Configure long, hard-to-guess SSIDs. This step minimizes the number of roaming or adjacent WLAN clients that could accidentally associate with your access point.

Wired equivalent privacy (WEP) capabilities built in to the IEEE 802.11 wireless protocol are too weak to use as an exclusive security measure, but WEP contributes to a layered security strategy. Use it, but make sure you bear its limitations in mind.

Employ the WEP shared key authentication, but avoid using weak and permanently configured keys. Employ products that automate key derivation, provide WEP key distribution or support dynamic key generation. These measures are supported by products which implement Wi-Fi protected access, a set of fixes defined by the Wi-Fi Alliance.

Audit and analyze all you can

Complement layered security by logging and auditing activity where you apply security. Record SSIDs, radio channels, and MAC addresses used in the area where you'll deploy your WAN. Routinely scan broadcast channels for rogue APs and new MAC addresses.

Use Wireless LAN analysis tools such as AirSnort, Ethereal, or AeroPeek to sniff wireless traffic. If you spot lots of invalid SSIDs, unfamiliar MAC addresses, rejected DHCP requests, etc., these might very well indicate intruder activity.

The concept of a wireless network expands the definition of what your network's perimeter is, even more so than teleworking and remote access. An improperly configured WLAN can allow an intruder to access the heart of your network, from outside your building. That's why many organizations completely separate WLAN clients from trusted networks and treat WLAN users just like remote users. I often recommend that organizations use an interdepartmental firewall to segregate the wireless segment from the trusted network.

Interdepartmental firewalls separate groups of users (and servers they alone should access), from everyone else. Placing a firewall between your WLAN and your intranet offers several security opportunities.

Using your firewalls wisely

First, there is user authentication. You should require WLAN users to present login credentials before accessing your intranet.

Then, perimeter access control , since firewall access controls can protect your intranet from IP address spoofing, denial-of-service and other attacks launched from WLANs. Encrypted connections provide stronger authentication, message privacy and integrity. Make WLAN clients use a VPN tunnel that terminates at a VPN security gateway or VPN-capable firewall.

Last, internal firewalls provide an audit point between WLAN users and intranet servers for necessary logging and monitoring.

Proper, thoughtful placement of firewalls between wired and wireless segments will ensure that every WLAN client is authorized, and the traffic is filtered, encrypted, and scanned for viruses. Note that if your WLAN clients are roving laptops, they should each have a personal firewall too, or they could end up using a VPN tunnel to send viruses to headquarters.

While this list of WLAN defenses is far from exhaustive, I hope it illustrates that you can do much to protect your wireless LAN by using the same defenses you've used in your wired LAN. WLANs offer tons of convenience, discovered the moment you set up a segment without stringing any cables. Implement layers of defense in depth, and you can enjoy that convenience without any nagging worries.

Dave Piscitello is a member of WatchGuard Technologies' LiveSecurity Advisory Council ( 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.