Security managers must feel like they're living in the Wild West. Weak encryption standards and uncontrolled Wi-Fi...
devices turn enterprises into lawless frontiers. But that's finally changing, as new security protocols arm managers with the weapons to restore law and order.
"Good hardware, excellent vendor support and proper policy--as long as you stick with it--will help minimize security risks," says Arek Alszko, IT manager for The Mad Science Group, a Canadian-based children's educational science entertainment franchise.
Alszko waited until he felt WLAN security protocols and products were ready for prime time; the dynamic key encryption and mutual authentication provided by Wi-Fi Protected Access (WPA) convinced him that wireless security was finally strong enough to meet his company's requirements.
Stronger security comes none too soon, as business imperatives for wireless deployment slams head-on into security issues, such as flawed encryption, unauthorized access and signal interruption.
"Wireless security products are finally catching up to the issues that prevented their use in security-sensitive businesses," says Rick Beaupre, director of technology at Massachusetts-based Mortgage Financial, "but there is more to wireless security than a piece of software or an appliance." To secure their WLANs, managers are using a layered approach, including strong encryption for authentication, tighter access control and IDS/IPS tools. Tough policy enforcement and configuration management round out a comprehensive WLAN security strategy.
Use Strong Authentication
WLAN authentication has been plagued by security issues-- dictionary attacks to crack plaintext passwords, vulnerable WEP encryption and man-in-the-middle attacks. Rogue access points (APs) undermine efforts to control access.
|The Bad Guys Take Aim|
A hacker can force an unsuspecting user station to connect to an undesired or spoofed 802.11 network.
Identity Theft or MAC Spoofing
Hackers can grab SSIDs and MAC addresses to steal bandwidth, and corrupt or download files.
A hacker breaks VPN connections between authorized stations and access points by inserting a malicious station between a victim's station and an access point.
Freeware tools can launch DoS attacks against specific users, access points or all network devices. A hacker can abuse the Extensible Authentication Protocol to launch an attack against the authentication server.
Network Injection Attacks
A hacker exploits improperly configured wireless LANs or rogue access points. When the access point is attached to an unfiltered part of the network, it broadcasts multicast traffic, which can take down the network.
"It was clunky at best," says Willis.
Now, Willis is taking advantage of evolving technologies, using 802.1X authentication, dynamic keys and AES encryption. Authentication and access are controlled via a Fortress Technologies gateway appliance.
"Users can set up and go about their business wherever they are and, ultimately, be more productive at work," Willis says. "They do not have to carry around their VPN tokens."
At Mortgage Financial, regulatory requirements made access control the number one priority, while still making wireless easy for employees.
"We wanted our loan officers to be untethered to their desktop and be able to move about," says Beaupre, who has launched a WLAN covering the company's Tewksbury, Mass., headquarters and 14 branch offices, each supporting two to 25 users.
"We realized the wireless security solutions that we were trying, such as RADIUS, weren't as robust as we needed," says Beaupre. Without a single logon, users could authenticate to the RADIUS server for wired access, but log on separately to the WLAN.
The solution was a single authentication point for wireless and wired access. Coupling wireless access points with the VPN, firewall and IDS via SonicWALL devices, gave Beaupre confidence in his access control.
Nail Down Client Configurations
Managing client configurations is critical. Left on their own, employees will adjust their laptops to access public hot spots or home wireless routers. Enterprises can manage their clients through configuration control, usage policy and dedicated client software.
Since Windows XP laptops ship with an internal wireless network adapter that automatically tries to attach to available WLANs, it's important to change the adapter's network properties from allowing ad hoc connections. Furthermore, administrators need to disable Wireless Auto Configuration, install XP Service Pack 2, which supports WPA and fixes several wireless security flaws, and change dangerous default settings, such as the administrative password.
Mad Science not only restricts use of the wireless client, but also locks down its mobile machines through user privileges, preventing the installation of applications.
"Our users aren't allowed to do anything to reconfigure their wireless client," says Alszko. "That doesn't mean they aren't going to try."
Meanwhile Peregrine uses client software specific to its Fortress Access Control Server to guarantee that only clients installed by Willis and his team can connect to the WLAN.
Define and Enforce Policy
A detailed acceptable-use policy is the foundation of a sound wireless security program. For example, Mortgage Financial is selective about who gets VPN access.
"If you want to connect to the network remotely, a request is submitted for a VPN client. The VPN client is deployed only after reviewing the environment and if the user meets the criteria," says Beaupre. This ensures everyone connects through a gateway that verifies the correct encryption level is being used and the antivirus definitions are current.
Because of the rapid changes in wireless technologies, WLAN policies need to be dynamic. Organizations should revisit the policy and educate wireless users regularly.
Issues routinely covered by written policies should include the type of encryption to be used for authentication, acceptable use policy (corporate access points only vs. public networks), procedures in the event a device is lost or stolen, and the consequences for violating policies.
Defend the Airwaves
The public nature of RF spectrum, on which 802.11 networks operate, poses challenges exclusive to wireless networks. Early wireless networks gave rise to war drivers and postings online of wide-open WLANs, complete with GPS coordinates. Continuous monitoring is needed to detect attacks and any abnormal RF propagation patterns.
Sometimes the problem is internal. Employees who transfer large files, misconfigured access points and clients, and RF interference from non-802.11 devices such as wireless telephones, remote cameras, even microwave ovens, can all interfere with the smooth operation of a WLAN. Inadvertent associations--such as an employee in the office next-door or a customer carrying a Wi-Fi enabled PDA--need to be distinguished from attackers.
Companies like AirTight Networks, AirDefense, AirMagnet, Newbury Networks, Network Chemistry and Bluesocket have developed wireless IDS/IPS systems with advanced RF-monitoring and blocking capabilities.
For smaller organizations, many wireless routers have built-in firewalling capabilities. They also can use network-monitoring tools, such as NetStumbler.
Using more than one tool for monitoring wireless (and wired) networks also helps security professionals fend off potential attacks. In addition to relying on his SonicWALL devices to automatically detect problems on Mortgage Financial's wireless network, Beaupre uses Ipswitch's WhatsUp Gold Premium, along with Denika Performance Trender from Somix, to monitor nodes.
No One Answer
There is no silver bullet when it comes to wireless security. Security pros are constantly wrestling with security versus usability within their organizations, and it's up to you to find a workable solution that fulfill both needs. Wireless security continues to mature, offering organizations the flexibility to further their business goals.