This article can also be found in the Premium Editorial Download "Information Security magazine: Unwrapping Windows Server 2003: An exclusive first look at Microsoft's new OS."
Download it now to read this article plus other related content.
First-generation wireless networking placed you between a rock and a hard place. Should you cave in and deploy a WLAN, despite well-documented protocol vulnerabilities and rampant threats? Or should you try to ban wireless, despite its business advantages and the unnerving suspicion that rogue access points (APs) will crop up anyway?
It's no longer a no-win, either/or choice. Recent improvements in wireless protocols and infrastructure technologies make "WLAN security" a realistic goal, not a laughable oxymoron.
"We've been forced to take [wireless] security more seriously than a lot of campuses have," says Col. Donald Welch, associate dean for information and education technology at the U.S. Military Academy at West Point. The academy recently installed a WLAN security suite and plans to offer campus-wide wireless connectivity by fall.
As West Point and thousands of other organizations are now discovering, WLANs can be made secure if you're smart about how you integrate wireless with your wired enterprise, leverage your existing security tools and select the right security technologies--from basic 802.11 security to VPNs to solutions based on the new generation of wireless authentication/encryption protocols. As with any technology, the trick then is to monitor your network's health to keep it safe.
The perils awaiting unprotected WLANs are many. Wireless traffic is easily recorded. Passive eavesdroppers can gather proprietary information, logins, passwords, intranet server addresses, and valid network and station addresses. Intruders can steal Internet bandwidth, transmit spam, or use your network as a springboard to attack others. They can capture and modify traffic to masquerade as you, with financial or legal consequences. Even a low-tech attacker can disrupt your business by launching wireless packet floods against your APs, nearby servers, next-hop wired network or Internet uplink.
Fortunately, these risks are not yet heavily exploited. Jupiter Media Research recently reported that 26 percent of surveyed businesses had experienced at least one type of WLAN attack in the past year. However, most of these incidents were problems waiting to happen: rogue APs, stations associating with the wrong AP and war driving. Serious security breaches--like wired network intrusion, theft of confidential data and forgery--were far less common, according to the survey.
In short, early adopters have been lucky. The cost of downtime and cleanup can be an order of magnitude greater than the cost of prevention. Now is the time to start playing catch-up with WLAN security.
Step One: Policy
If you don't know what you're defending and why, your security measures are just shots in the dark. It's critical to identify business assets that must be protected and the impact of damage, theft or loss.
For wireless, as with dial-up and DSL, your policy should define access requirements. Who needs access to what and when? If your company already has a remote access policy for travelers and telecommuters, expand it to incorporate wireless. If you have no such policy, create one. Remember to include scenarios that are unique to wireless, like employees at public hot spots (see "Hot Spots Give Security Managers the Chills") or office visitors.
Consider how wireless changes the rules for office visitors. Few companies offer Ethernet access to visiting customers or business partners. Jacks in public areas are typically disabled or latched to known addresses. But wireless laptops and PDAs can easily associate with nearby APs or other wireless stations. This is both a threat and an opportunity. Security policies should define rules for "walled garden" guest access. For example, you may prohibit peer-to-peer networking while permitting logged guest sessions through specific APs with limited destinations, protocols, duration and bandwidth. If guest access is banned, your policy must state this so that steps can be taken to prevent visitor intrusion.
Once assets have been identified, enumerate threats and quantify risks. Security is always a balancing act, weighing risk against cost. After this foundation has been established, you can begin to consider WLAN implementation alternatives.
Before you plot out access point deployment, conduct a site survey using a WLAN discovery tool such as NetStumbler. What you learn might surprise you. According to a recent Gartner report, at least one in five companies find APs deployed without IT department permission. Commodity pricing, retail distribution and setup wizards have made it trivial for employees to install rogue APs, which can expose corporate assets to outsiders and interfere with WLAN performance. Find and eliminate rogue APs from the start--or safely incorporate them into your wireless network design.
Site surveys also turn up unauthorized workstations. Create an inventory of laptops and PDAs with wireless adapters, documenting user, MAC address and operating system. This will be used to implement WLAN access controls. And you'll find an up-to-date list is essential when WLAN adapters are lost or stolen.
You may find nearby APs and stations that don't belong to you. Survey public areas (parking lots, hallways, lobbies) just beyond the physical boundaries of your facility, including upstairs and downstairs. Neighboring MAC addresses should be recorded, along with network name (SSID) and channel. This list will be used to avoid cross-channel interference and eliminate false-positive intrusion alerts.
Consider getting APs with high-grade antennas that produce strong yet tight signals. These provide focused connectivity for your users. At the same time, their narrow focus means the signals are less likely to spill out into the street, where a war driver can capture and exploit it.
WLAN Meets LAN
Consider how new WLAN segments will be integrated with and reuse components of your wired infrastructure. Your network topology, device placement and current security measures all have direct impact on wireless LAN security.
Restrict AP placement in your network topology. Wireless applications require protected access to the intranet and/or Internet, affecting routers, firewall rules and VPN policies. Wireless APs are untrusted entities and should always sit outside the firewall or within a DMZ--never inside the firewall.
Think in terms of a three-interface firewall--intranet on the inside, APs (and other public servers) on the DMZ, and Internet on the outside interface. Circumstances dictate whether your APs should sit on the DMZ or outside.
A DMZ can protect the WLAN from Internet threats while protecting the wired intranet from WLAN threats. However, for example, if your firewall doesn't let VPN tunnels originate in the DMZ, you may need to place your AP on the outside interface instead.
AP security capabilities vary greatly. Entry-level APs are essentially "dumb" hubs, bridging wireless and wired segments. Enterprise-grade APs, such as Cisco Systems' Aironet 1200 series and Proxim's ORiNOCO AP-2000 are like managed switches, offering security features like 802.1X port access control (more on this a bit later). A few "smart" APs, such as Colubris' CN1000 and Madge's Smart Wireless Access Point serve as VPN gateways.
Accordingly, your choice of AP will impact your WLAN topology (see "Alternative WLAN Network Topologies," below):
- Firewalls can provide both access control and VPN termination. If existing firewalls have spare capacity, they may be leveraged to secure your new WLAN.
- However, WLANs require more bandwidth per user than v.90 or even residential broadband. Smart APs can offload VPN processing, placing fewer demands on the firewall.
- Another option is to concentrate access at a new type device: a gateway tailored for wireless LANs. Wireless stations usually have DHCP addresses, so packet inspection needs to occur at both MAC address and user levels. WLAN gateways, such as those from Bluesocket, Vernier and ReefEdge, enforce scalable policies based on groups of users/stations rather than source IP. They may also provide SSL portals for visitor login or VPN tunnel persistence when stations roam from one AP to another. Specialized WLAN gateways complement, but don't replace, general-purpose Internet firewalls.
After entering the wired network, wireless traffic should be segregated so that different policies can be applied. Intranet servers, edge routers and bandwidth managers can be updated to filter on subnet(s) assigned to your WLAN. Even when addresses are hidden behind Network Address Translation (NAT), Virtual LAN (VLAN) tags can be used to avoid broadcasting wireless traffic throughout your Intranet.
Leverage existing security. In addition to firewalls and VPNs, the WLAN will be required to fit within your existing security infrastructure. Consider these points in making it all work together:
- Access control lists on intranet servers and routers can block connections from the WLAN--or may need to be extended to allow the WLAN connections.
- DHCP servers can be reused to supply WLAN addresses. Since WLANs aren't inherently trustworthy, reservations can bind IPs to known MAC addresses. This isn't foolproof or highly scalable, so be selective. For example, reserve AP and server addresses.
- Creating a new user list for your WLAN--even a small one--introduces yet another database to maintain. Seek solutions that leverage existing user/device credentials and authentication databases. Make sure your WLAN authentication scheme doesn't put existing authentication credentials at risk.
- Wireless adapters create new avenues of attack. Reuse desktop security measures like personal firewalls, AV scanners and file encryption to harden stations. PDAs may require different software but shouldn't be overlooked.
Integrate wireless networks and devices with existing management infrastructure. Determine if APs, stations and WLAN software should be inventoried, configured and monitored by solutions already in place and if new wireless management tools feed your existing supervisory systems.
Enterprise-grade APs and wireless gateways can often be remotely provisioned by SNMP network managers. Some AP vendors such as Cisco, Proxim and Symbol supply wireless network managers or network management system plug-ins. Third-party wireless policy management systems are starting to emerge (more on these later).
Wireless APs and gateways may generate SNMP traps or send Syslog messages, feeding log servers and analysis tools that already monitor wired networks. But WLANs have their own reporting needs, too. Enterprises may need to audit user activity; hot spot providers must record sessions to feed billing systems and generate revenue.
RADIUS access requests sent by 802.1X, VPNs and SSL portals can help. Devices sold to the ISP market are more likely to generate RADIUS accounting records.
802.11 Security: Just the Basics
You have an increasing choice of options for authentication and encryption, from several emerging technologies to VPNs. Depending on the size of your enterprise and the level of risk WLAN opens up, you may want to start with the security 802.11 offers out of the box.
Basic 802.11 security deters accidental association or casual eavesdropping. In most WLAN products, however, these security features are disabled by default. Disabled means the WLAN operates in "open system" mode--any station can join because they know the network's Service Set Identifier (SSID) or by capturing beacon frames broadcast by APs.
The 802.11 standard's security is composed of authentication and encryption. When shared-key authentication is enabled, stations can associate with the AP only if they have a 40- or 128-bit key known to both parties. When Wired Equivalent Privacy (WEP) is enabled, the same key is fed into the RC4 cipher to encrypt data frames. Only stations that possess the shared key can join the WLAN, but the same key decrypts frames transmitted by other stations. If your policy requires authentication of individual stations, or confidentiality beyond the air link, you must adopt other measures.
Configuring a hard-to-guess SSID makes neighbors less likely to mistake your WLAN for their own. Stations running Windows XP automatically join any discovered network by default. Enabling shared-key authentication prevents this. Using WEP is like locking your office desk. Motivated intruders can jimmy a low-grade lock. Given enough data, a persistent attacker can use freeware tools to crack WEP. Nevertheless, these can be your first line of defense. Small business and home networks should always use them; enterprises may opt for higher-level measures. The 802.1X standard addresses the need for more robust authentication, and the 802.11i standard's Temporal Key Integrity Protocol (TKIP) provides for more robust encryption.
Many APs can be configured with a list of MAC addresses to allow or block. But MAC addresses can be forged. To address this, IEEE 802.1X provides a standard, multivendor framework for combining port-level access control with some type of authentication.
802.1X applies the Extensible Authentication Protocol (EAP) to LANs--wired and wireless--defining messages to be exchanged between LAN stations (supplicants), APs (authenticators) and backend authentication servers. Think of 802.1X as an on/off switch that blocks everything but EAP until the authentication server accepts the supplicant's access request. Encryption keys are supplied dynamically to authorized stations on a per-session basis.
EAP is an envelope that supports many different kinds of authentication. Deploying 802.1X requires adopting one or more EAP methods:
- Cisco's Lightweight EAP (LEAP) uses mutual password authentication between the station and AP. Because LEAP's challenge/response isn't encrypted, it's vulnerable to offline dictionary attacks.
- EAP-TLS requires mutual certificate authentication between stations and servers. EAP is protected from eavesdropping by a TLS tunnel. The price paid for tighter security is a certificate on every station.
- EAP-TTLS and Protected EAP (PEAP) authenticate servers by certificate and stations by passwords, made safe by tunneling over TLS. Logins known to your RADIUS server, Active Directory or domain controller can be reused by 802.1X to simplify WLAN deployment.
Microsoft shipped 802.1X/EAP-TLS in Windows XP, added it to Windows 2000, and makes client software available to supported Windows NT/ME/98 customers. Enterprises that only need Win32 and already use client certificates should seriously consider 802.1X/EAP-TLS. An Open1x 802.1X/EAP-TLS supplicant runs on Linux and Free/OpenBSD.
RADIUS vendors Funk Software and Meetinghouse supply EAP-TTLS supplicants. Microsoft recently added PEAP to Win32 802.1X supplicants. Neither method is standard, which raises concerns about interoperability and stability.
Moreover, EAP-TTLS and PEAP aren't foolproof. They can be tricked into sending identity or credentials without the protection of the TLS tunnel. A man-in-the-middle attack can intercept and use these values to access your WLAN.
Wi-Fi Protected Access
Wi-Fi is the brand given to 802.11 products certified by the Wi-Fi Alliance, a consortium organized to promote 802.11 products and interoperability among them. Wi-Fi Protected Access (WPA) is a security enhancement for current-generation WLAN hardware. WPA incorporates just the stable parts of the 802.11i advanced security standard, which is still a work in progress. WPA products can interoperate with the older WEP products.
WPA defines TKIP, which derives keys by mixing a base key with the transmitter's MAC address. An initialization vector is mixed with that key to generate per-packet keys. This stops WEP-crackers from comparing frames encrypted with the same key. WPA also includes a Message Integrity Check (MIC) to prevent data forgery.
Enterprises should use WPA with 802.1X for key delivery and refresh. Organizations using WEP should apply certified WPA firmware as soon as upgrades become available. The final 802.11i standard will add AES for more robust security using next-generation hardware, but that will be a forklift rather than firmware upgrade.
If your company already has a remote access VPN, consider using it for WLAN security. Reuse makes the most sense when security policy is consistent for WAN and LAN access--the same credentials can be used for authentication; the same encryption algorithms can be used for confidentiality.
However, WLANs present their own set of VPN issues:
- There is more data to encrypt on a high-speed WLAN. Additional gateways may be needed to
support wireless encryption, particularly when using 802.11a/g at link speeds up to 54 Mbps.
- Tunnels are bound to IP addresses. WLAN stations roam between APs, changing IP address. Broken
tunnels can be reestablished, but service disruption is often noticeable. In smaller WLANs, several
APs can share the same DHCP scope. VLANs can help, up to a point. In larger WLANs, wireless
gateways can provide tunnel persistence when stations roam.
- Client deployment can be costly and difficult to mandate. Reusing deployed clients is one thing, adding new clients and policies quite another.
VPN tunnels, WEP/TKIP and 802.1X address different problems. Consider a business partner using a guest WLAN. A tunnel controls access to the visitor's own network; 802.1X controls access to the guest WLAN. A tunnel prevents eavesdropping from end to end; WEP/TKIP prevents eavesdropping on the air link only.
The many facets of wireless
When considering wireless, it's important to realize that there are many kinds of wireless technologies, aimed at different devices and usage environments:
Wireless Personal Area Networks (WPANs) use very short-range wireless technology to replace cables connecting PCs with peripherals, phones with headsets, etc. The most popular WPAN is Bluetooth (IEEE 802.15), which reaches about 30 feet, at speeds up to 780 Kbps.
Wireless Local Area Networks (WLANs) use short-range wireless to reach at least 300 feet, at speeds up to 11 Mbps (IEEE 802.11b) and 54 Mbps (802.11a/g). WLANs connect computers-desktops, laptops, PDAs and Pocket PC-enabled phones-to each other and to adjacent networks via wireless access points or gateways. Wireless Metropolitan Area Networks (WMANs) use very high-speed wireless for site-to-site connections-for example, a five-mile point-to-point uplink from a subscriber's office to a service provider's network access center. WMAN technologies include LMDS, MMDS, and IEEE 802.16 fixed broadband wireless.
Wireless Wide Area Networks (WWANs) are long-range radio networks that deliver mobile voice and data to subscriber devices like cellphones, pagers, smart phones, voice-enabled PDAs and Blackberries. Older technologies like GSM, TDMA and CDMA deliver circuit-switched data at 9.6-14.4 Kbps. Newer technologies like 1xRTT, GPRS and EDGE now deliver packet-switched data at speeds similar to v.90, but have theoretical limits of 144-473 Kbps.
Today, very few devices have more than one kind of wireless. For example, a PDA may reach the Internet over 802.11 at the office, but over GPRS when traveling. Manufacturers are working on dual-mode chipsets so devices can roam from one kind of wireless to another, but such devices won't hit the market for at least a year
Travelers using guest WLANs and hot spots should use VPNs to protect themselves, no matter what local measures are employed by the visited network.
Portals and 'Mobile VPNs'
Portals frequently control access to public hot spots and guest networks (wired or wireless). Outbound HTTP requests are redirected to a login page, where the user authenticates via SSL before access is granted to the network.
SSL portals are great for heterogeneous WLANs in which client software (VPN, 802.1X, TKIP) can't be dictated. Login can be accomplished with any browser, without preconfigured credentials or keys. But portals don't encrypt data; they only provide secure authentication.
Enterprise networks may combine portal login with WEP/TKIP. Like 802.1X, portals let stations authenticate securely with legacy credentials and existing user databases. Unlike 802.1X, portals make users launch a browser to conduct authentication and don't deliver keys. 802.1X is more transparent, but requires configured supplicant software. Your choice will depend on what you already have, what you must add, and how you will maintain it.
Another option, "mobile VPNs," are gaining popularity because they are clientless, using standard browsers. These protect more than the login--they proxy data over a SSL/TLS tunnel. Mobile VPN products from vendors such as NetMotion and Columbitech are tuned for wireless, including optimization for low-speed cellular, WAN/LAN roaming and session persistence during brief network interruptions.
On the other hand, the mobile VPN servers can be vulnerable to denial-of-service attacks, and software installed on general-purpose computing platforms raise hardening and scalability issues. Nonetheless, if you don't have a remote access VPN, consider mobile VPNs as a wireless security alternative.
Use your security policy to choose the most appropriate solution. When policy requires secure WLAN access to an entire network, some kind of tunneling is indicated. When policy requires secure WLAN access to the user's own desktop, screen sharing (e.g., GoToMyPC, pcAnywhere, VNC over SSH) is a better fit. When policy requires secure WLAN access to just one or two applications, secure application protocols (secure e-mail, secure file transfer, SSL-protected Web GUIs) may be sufficient.
Hot spots give security managers the chills
For several years, road warriors have used Internet cafés to check e-mail. Wireless hot spots make this more convenient. Workers use hot spots to make productive use of time spent waiting in airports and hotel lobbies.
Hot spots are found in 1.67 million access locations across the United States. With cellular carriers buying their way into the hot spot market, things are likely to change. By 2007, Analysis Re-search predicts 21 million people in the U.S. will use hot spots. Cometa Networks-an AT&T, IBM Global Services and Intel partnership-wants to make wireless connectivity ubiquitous by building a national hot spot network, placing APs within a five-minute walk in cities and a five-minute drive elsewhere.
That's the good news. The bad news is that these hot spots are putting your company's assets at risk. It's never been easier to spy on fellow travelers.
Hot spots are inherently open. The easier it is to get online, the more likely visitors will pay for the service. Most hot spots are gated by SSL portals that collect subscriber identity and payment information. When it comes to privacy, customers are usually on their own.
Your company should create acceptable use policies for employees who use hot spots. Such policies may ban file sharing and dictate installing personal firewall and VPN client software-practices common for Internet remote access. New rules may be needed. For example, can workers log into the SSL portal before launching their VPN client? Hot spots are definitely one case where an ounce of prevention is worth a pound of cure.
Keeping Your WLAN Safe
Like any other network segment, WLANs require configuration and monitoring. You can reuse existing infrastructure, and you certainly want WLAN management to fit within your overall network management scheme. However, you'll still need some specialized tools to maintain wireless security (see "Sniffing the Air for Trouble").
WLAN discovery and vulnerability assessment: War drivers try to find unprotected APs, but IT staff can use some of their tools for WLAN discovery, penetration testing and vulnerability assessment.
Discovery tools should be used during site surveys and periodically thereafter to detect rogue APs and unauthorized peer-to-peer connections.
Penetration test and vulnerability assessment tools such as AirMagnet's Handheld Analyzer and Internet Security Systems' Wireless Scanner should also be used on a regular basis. WLAN traffic can be captured and analyzed for suspicious behavior. For example, excessive deassociate (disconnect) frames, repeated EAP handshaking or WEP errors suggest attack. Stations or APs in open-system mode or without WEP can be flagged as policy violations. Pen testers can probe APs and gateways to see whether Telnet, SNMP or other ports are open to WLAN attack. Tools can also create baseline reports against which to compare future results, so that changes can be investigated and new problems remedied.
WLAN intrusion detection: In large enterprises, some type of distributed monitoring with central collection and analysis may be necessary.
Network IDS (NIDS) provides centralized 24/7 real-time analysis in wired networks. NIDS can be leveraged to catch wired network intrusions originating from the WLAN.
However, attacks on the WLAN itself require a different solution. For example, AirDefense sensors with 802.11 interfaces capture WLAN traffic and perform data reduction. Its IDS engine uses protocol inspection, signatures, anomaly detection and policy enforcement to generate intrusion alerts. The StillSecure Border Guard from Latis Networks provides both intrusion detection and content filtering at the WLAN gateway.
Policy management: Enforcing wireless security policies, responding to frequent changes, and updating distant devices is a challenge. As 802.11 matures, enterprise WLANs will grow larger, creating a new market for wireless management systems. As previously noted, some AP and gateway vendors provide products to manage their own offerings. To appreciate what third-party management systems will offer, let's examine a few early entrants:
- AirWave's Management Platform automatically configures detected APs with network policies. Group policy changes and firmware updates can be pushed from a central point, and APs can be audited for compliance.
- WLAN traffic is continuously analyzed to identify and escalate performance problems in accordance with policy. Cirond's WLAN Manager provides proprietary WEP key distribution, location-based access control, a provisioning system for guest access and real-time location maps for active APs and stations.
- Wavelink's Mobile Manager creates and distributes WEP keys and very large enterprise-scale AP access control lists to stations and APs. Security parameters and access rules are configured on a central policy management system and pushed to devices, supported by mobile device agents and client software.
So, Don't Ban the WLAN
Despite all the dire warnings about wireless security, there are a lot of unprotected WLANs out in the world, ripe for picking. Sampling metropolitan areas on white hat war drives reveals unprotected WLANs in police stations, doctor's offices, law offices, retail stores, municipal buildings and hundreds of businesses.
But your WLAN can be secure. The trick to is to apply the security measures discussed here judiciously, following careful analysis of business needs and risks. Deploying any type of network securely is always a balancing act, establishing a happy medium between security for security's sake and pragmatic protection of mission-critical assets. WLANs are no different.
About the author:
Lisa Phifer is VP at Core Competence, a consulting firm specializing in network security and management technology.
This was first published in April 2003