Don’t overlook the importance of sound policy in your efforts to achieve effective security, says Bob Whelan
Establishing a sound policy is the first step to implementing effective wireless network security. Good security starts with understanding your potential areas of vulnerability. As with most emerging technologies, IT departments will need to be flexible enough to embrace practical solutions today that fit their current environments, while planning for standards that ultimately will come in the future. In the interim, there exist highly effective and proven technology answers, that when combined with well thought out policy, make for a secure and successful wireless deployment. Organizations should consider the following six tips.
1. Start with physical access
Protected access to network resources is one of the most fundamental aspects of network security. Any security plan should first consider physical access security questions such as how are the individual hardware resources - including server rooms, desktop computers, off-site back-up and storage facilities - protected from physical access by unauthorized individuals. What processes are in place to make sure mobile resources, such as laptops and handheld devices, are not falling into the wrong hands? Have any unauthorized devices been physically connected to internal network wires?
2. Authenticate remote access
Remote access security addresses the need to enable remote connections for authorized users and devices while preventing connections from unauthorized users and devices.
If security requirements are very high, consider advanced techniques of user authentication, beyond user names and passwords, such as certificates or smartcards. Consider combining device authentication with user authentication to prevent unauthorized (i.e. personal) equipment or unsupported devices.
3. Manage your network
Wireless networks are frequently installed without any thought to secure configuration or management. Unmanaged equipment and unmonitored networks can lead to vulnerabilities from signal spillover into adjourning offices or parking lots, unsecured availability of resources, and inadequate access control and confidentiality measures.
You should educate employees on aspects of the policy that impact their use of the network, implement a management solution for deploying and enforcing wireless security policy and include rules for use of mobile devices on public WLANs (hotspots). Some possibilities include requiring that file/print sharing be disabled before logging on, requiring the use of personal firewalls and/or VPNs, and disabling peer-to-peer wireless connections.
4. Guard against rogue access
Unauthorized or rogue access points are most commonly added to the network by a well-intentioned employee installing a small wireless LAN for personal or departmental convenience without the knowledge of the IT department. Because an access point can open a door to all of the resources available throughout the network, the risk associated with unknown access points exemplifies the need for established, enforceable security policy, strong physical security measures (such as locked doors and access key cards), and the implementation of an efficient method of access point detection.
To guard against rogue access points you should educate employees about the seriousness of the risk and implement a policy against self-installations of access points without IT sign-off. You should also conduct frequent scans of wireless traffic to locate and disarm unauthorized (and probably unsecured) access points.
5. Preventing passive attacks
Passive attacks involve either the collection of data in transit or the penetration of the network as a result of a 'back door' being left open. The most common and feared is eavesdropping, which has been popularized by the highly publicized vulnerabilities of the wireless encryption protocol (WEP).
The WEP initialization vector and the static nature of the WEP key can be exploited to crack an organization's WEP key once sufficient data has been collected, leaving a network open to infiltration and disruption. The best protection is to leverage the newer security standards whenever possible and practical, such as Wi-Fi Protected Access (WPA), Cisco's LEAP, TKIP or other 802.1x compliant authentication models that include session-based automated key distribution.
For companies who continue to use WEP, there are measures which will help mitigate passive attacks. These include reviewing and adjusting radio transmit power settings on both access points and mobile devices to prevent spillover, disabling service set identifiers (SSID) broadcasts in access points, employing a method of transmission encryption, rotating encryption keys frequently and limiting access point associations. If the security plan involves the use of master keys, use a secure method for distributing these (such as requiring that they are only distributed using wired network connections).
6. Thwarting active attacks
To prevent active attacks such as spoofing, denial-of-service, bit flipping and replay attacks, you can implement statistical monitoring and configurable alerts related to data volume, packet collisions and retries. Ensure that no microwave ovens or cordless phones are within sufficient range to create interference on WLANs. Other actions include encrypting wireless traffic (ideally using session-based keys if installed), using an EAP type mutual authentication model if possible, employing filtering mechanisms to limit protocols for wireless traffic only to those that provide layer 3 validation, such as TCP/IP, using 802.1x based authentication whenever possible, and lowering data rates on access points where significant excess capacity exists.
Bob Whelan is chief technology officer, Wavelink Corp. (www.wavelink.com)
Spooning through 802.11 alphabet soup
The Institute of Electrical and Electronics Engineers' (IEEE) 802.11 networking standard consists of spin-offs, each providing different spectrums on which to operate. The alphabet soup starts with standards a, b and g, which all have basic encryption and authentication, but share the same flaw of being easily hacked. The IEEE's 802.11i standard is intended to address the security issues that a, b and g failed to.
According to CTO Chia-Chee Kuan of AirMagnet, Inc., a developer of security assessment and network management tools for WLANs, 802.11a offers 54Mbps throughput per channel used. This higher speed and the use of the 5GHz radio spectrum - the same spectrum for cell phones - allows for much cleaner information exchange. But, with cleaner airwaves comes a shorter range. Additionally, 802.11a WLAN equipment is incompatible with existing and more prevalent 802.11b tools.
These WLANs operate at a lower speed and on a noisier spectrum, with throughput of 54Mbps per channel and a 2.4GHz spectrum. This particular slice of airwaves accommodates baby monitors, microwaves, wireless web cameras and more, says Kuan. Even so, 802.11b equipment is readily available and is often the least expensive of the standards.
The most recent to join the fray, it should be ratified by the IEEE around June, says Kuan. Although it still enlists the same 2.4GHz spectrum, the throughput per channel runs the same as 802.11a at 54Mbps. Another plus is its far-reaching range. Basically, he says, 802.11g is the movie star of the bunch because of its high speed and improved throughput. It also gets a lot of press because it is backwards compatible with 802.11b.
Enter 802.11i, another of IEEE's standards to be ratified this summer. Says NTRU's Dan Bailey, product manager for Wireless Networks, 802.11i offers two options that hardware vendors can use to help secure WLANs.
The first is TKIP, which also has a second name - WPA - used by the Wi-Fi Alliance to certify that hardware is meeting the standard. Basically, says Bailey, TKIP/WPA offer a set of tips on how to make WEP more secure. The second part of 802.11i is 128-bit AES encryption, and this kind of protection is where IT managers want to go, he notes.