Now that the final version of 802.11n has been approved and products based on that standard are shipping, many expect rapid adoption of high-speed wireless networks in the enterprise. Access points (APs) that support 802.11n are up to six times faster and can reach up to twice as far as legacy 802.11abg APs. Moreover, networks based on 802.11n can support larger user populations much more reliably, making Wi-Fi a competitive alternative...
to 10/100 Ethernet for enterprise network access.
Most businesses use Wi-Fi to some extent already, but a considerable number have been awaiting next generation 802.11n APs and clients before deploying company-wide coverage, implementing multimedia applications, or undertaking Ethernet replacement projects. In this tip, let's review several key questions that network security pros should think about as part of any 802.11n upgrade.
1. How will deploying an 802.11n upgrade affect legacy Wi-Fi clients and their security policies?
A top concern for any upgrade is minimizing the effect that changes have on the rest of the network, its services and its users. To avoid service degradation for old and new users, deploy new 802.11n access points (APs) on different channels, preferably in the larger, relatively unused 5 GHz band. If there's a need to support old clients with 802.11n APs in the crowded 2.4 GHz band used by legacy 802.11g APs, configure new APs to operate in "mixed mode" on 20 MHz channels only.
Older 802.11ag clients may get faster service over greater distances, but they will not have data rates above 54 Mbps. Only 802.11n clients can obtain high throughput rates; this is because 802.11n uses multiple receivers and transmitters called multiple-input multiple-output (MIMO), which isn't backwards compatible with older clients.
However, in secure WLANs, only WPA2 clients -- those that employ AES encryption -- are permitted to use high-throughput rates. Thus, SSIDs that require WEP or WPA are not suitable for mixed-mode WLANs that contain both 11ag and 11n clients. Instead, retire WEP-only SSIDs, modify existing SSIDs to accept both WPA and WPA2, or create WPA2-only SSIDs.
2. Does 802.11n's increased range result in new threat exposures?
When Wi-Fi signals bounce off walls and doors, the result is multi-path, or multiple reflections of the same transmission that travel along different spatial paths to reach a receiver at slightly different times. Multi-path is bad for 802.11ag because reflections interfere with each other, but 802.11n turns multi-path into an advantage.
An 802.11n AP uses MIMO to send data differently or redundantly over 2-4 simultaneous streams, increasing throughput and quality. In a typical office, 802.11n APs provide a 4.5 dB gain versus 802.11ag APs. This makes it possible to create Wi-Fi coverage areas that are up to twice as large, delivering faster, more reliable coverage to the same area as before.
3. Is it possible to monitor 40 GHz channels, or decode 802.11n traffic?
802.11n APs can double throughput by merging two 20 MHz-wide channels into one 40 MHz-wide channel. Legacy 802.11ag scanners, analyzers and wireless intrusion prevention systems (WIPS) may "hear" something on those wider channels but not interpret those transmissions. Furthermore, deploying 802.11n introduces new radio preambles (sequences that announce intent to transmit) and media access control frames (messages used to share the air fairly and acknowledge receipt) that cannot be understood by legacy devices.
For example, an 802.11n AP operating in "mixed mode" sends both 11ag and 11n preambles to stop old devices from transmitting simultaneously. However, some 802.11n APs can also operate in "greenfield mode," using airtime more efficiently by skipping those old format preambles. As a result, legacy devices cannot detect greenfield mode APs. And, while legacy devices may detect mixed mode APs, they will not be able to interpret some messages -- particularly those sent on 40-MHz-wide channels.
Consequently, 802.11n APs may elude rogue detectors altogether or send malicious traffic that a WIPS cannot match to attack signatures. To mitigate these new threats, enterprises should include 802.11n-capable WLAN scanners, analyzers and WIPS sensors in their upgrade plans.
4. Do new 802.11n APs and clients need to be hardened and patched?
New products often have a few bugs, especially complex technology like 802.11n. Manufacturers have shipped draft 802.11n products for a while and patched early bugs (e.g., Atheros 11n tag overflow, Marvel 11n EAP overflow), but new vulnerabilities are likely, especially in embedded and consumer devices like printers, cameras, smartphones and media servers. These non-laptop clients are often used without IT knowledge, creating vulnerable endpoints. So continue existing pre-802.11n best practices: Detect all active Wi-Fi devices (including clients and ad hocs), harden their configs, and track product-specific vulnerabilities.
The rate at which new Wi-Fi exploits are discovered has slowed, but not stopped.
For example, forged 802.11n block acknowledgements (ADDBAs) can be used to initiate denial-of-service (DoS) attacks against high-throughput clients. The ADDBA option reduces latency when streaming media, but forged ADDBAs can cause recipients to erroneously drop traffic. This can be mitigated using WIPS detection or disabling ADDBA.
A new WPA message integrity check (MIC) attack was discovered last fall and improved this summer. This attack exploits Wi-Fi Multimedia (WMM) interoperability and quality-of-service standard to guess unknown bits in replayed ARP frames without triggering WPA countermeasures. Once the MIC key has been recovered, attackers can inject modified TKIP-encrypted frames without detection. Enterprise 802.11n APs support WMM and are thus vulnerable; this attack can be thwarted by upgrading to WPA2 (AES encryption) or disabling WMM.
6. Do new applications require new security policies and traffic isolation?
Upgrades to 802.11n are often used to support more diverse applications, including voice, video, real-time collaboration and backhaul from hard-to-wire locations. These new applications are often more sensitive to privacy and/or performance issues. Fortunately, those new applications can be secured using the same old measures, including WPA2, VPNs, SSL, VLANs or NAC. However, to compartmentalize sensitive traffic, consider divvying RF spectrum into new SSIDs -- possibly with different security, quality of service (QoS) and firewall policies -- mapped onto separate VLANs. For example, VoIP is usually sent over its own top priority SSID and VLAN, with access restricted by MAC address and protocol type.
7. How do mission-critical applications change organizational risk tolerance?
Finally, 802.11n is mature enough for "prime time" enterprise use, ranging from mission-critical application connectivity to Ethernet replacement. The same old policies and surveillance methods applied to best-effort Internet and email may no longer be sufficient -- not because 11n breaks them, but because your enterprise's risk tolerance may have declined. For example, businesses that relied on background rogue AP detection may decide the time has come for a full-time dedicated WIPS. Organizations reluctant to retire WEP-only clients may decide to make those investments now. When fielding new wireless applications, consider the business risks you may be introducing and how well existing WLAN security policies and practices address them.
Every network upgrade presents both business opportunity and security risk; 802.11n offers ample opportunity for both. Over the next two years, most businesses will likely move to 802.11n to create bigger, faster, more reliable wireless networks, capable of running more diverse and demanding applications. While 802.11n does not rewrite the book when it comes to security best practices, this major upgrade will introduce many new devices, channels, protocols and applications. As such, every 802.11n deployment should include security planning, vulnerability assessment and an investment in new security tools.
About the author:
Lisa Phifer owns Core Competence Inc., a consulting firm specializing in network security and management technology. Lisa has been involved in the design, implementation and evaluation of data communications, internetworking, security and network management products for over 20 years. At Core Competence, she has advised large and small companies regarding security needs, product assessment and the use of emerging technologies and best practices. Before joining Core Competence, Lisa was a member of technical staff at Bell Communications Research where she won a president's award for her work on ATM network management.