Best Practices for Wireless Network Security
- 05 February, 2004 12:17
Wireless technology is dramatically changing the world of computing, creating new business opportunities but also increasing security risks.
Wireless LANs, which use radio frequencies to broadcast in the unlicensed 2.4GHz frequency band, can be as simple as two computers equipped with wireless network interface cards or as complex as hundreds of computers outfitted with cards communicating through access points. They're relatively inexpensive and easy to install. But they also introduce a number of critical security risks and challenges, and it's important to implement strong security measures to mitigate these risks. What follows are potential risks and associated best practices to help you secure your network and understand WLAN characteristics:
Risk No. 1:
Insufficient policies, training and awareness
Though establishing policies to govern wireless networks would appear to be a basic requirement, institutions often fail to take this step or to inform employees of the risks associated with not using a wireless network in accordance with the policies. Once policies are implemented, it's critical to communicate them to increase users' awareness and understanding.
How to mitigate:
Develop institution-wide policies with detailed procedures regarding wireless devices and usage. Maintain these policies and procedures to keep current with technology and trends. While each institution will have specific requirements, at a minimum require the registration of all WLANs as part of overall security strategy. And because a policy isn't effective if users aren't in compliance, monitor the network to ensure that users are following the policy as intended.
Conduct regular security awareness and training sessions for both systems administrators and users. It's important to keep systems administrators informed of technical advances and protocols, but it's equally important for users to understand the reasons for the protocols. An educated user will more likely be a compliant one, without as much protest. These education sessions should stress the importance of vigilance.
Risk No. 2:
Wireless access points repeatedly send out signals to announce themselves so that users can find them to initiate connectivity. This signal transmission occurs when 802.11 beacon frames containing the access points' Service Set Identifier are sent unencrypted. (SSIDs are names or descriptions used to differentiate networks from one another.) This could make it easy for unauthorised users to learn the network name and attempt an attack or intrusion.
How to mitigate:
- Enable available security features. Embedded security features are disabled by default.
- Change the default settings. Default SSIDs are set by the manufacturer. For example, Cisco's default SSID is "tsunami", and Linksys' is "linksys". Not changing these makes it easier for an unauthorised user to gain access. Define a complex SSID naming convention. Don't change the SSID to reflect identifiable information, since this too could make it easy for an unauthorised user to gain access. Instead, use long, nonmeaningful strings of characters, including letters, numbers and symbols.
- Disable Dynamic Host Configuration Protocol and use static IP addresses instead. Using DHCP automatically provides an IP address to anyone, authorised or not, attempting to gain access to your wireless network, again making it just that much easier for unauthorised penetration.
- Move or encrypt the SSID and the Wired Equivalent Privacy (WEP) key that are typically stored in the Windows registry file. Moving these privileged files makes it more difficult for a hacker to acquire privileged information. This step could either prevent an unauthorised intrusion or delay the intrusion until detection occurs.
- Use a closed network. With a closed network, users type the SSID into the client application instead of selecting the SSID from a list. This feature makes it slightly more difficult for the user to gain access, but education on this risk-mitigation strategy can reduce potential resistance.
To gain maximum advantage of a closed network, change the SSID regularly so that terminated employees can't gain access to the network. Develop and implement an SSID management process to change the SSID regularly and to inform authorised employees of the new SSID.
- Track employees who have WLANs at home or at a remote site. Require that wireless networks are placed behind the main routed interface so the institution can shut them off if necessary. If WLANs are being used at home, require specific security configurations, including encryption and virtual private network (VPN) tunnelling.
Risk No. 3:
Rogue access points
Rogue access points are those installed by users without coordinating with IT. Because access points are inexpensive and easy to install, rogue installations are becoming more common.
Rogue access points are often poorly configured and might permit traffic that can be hard for intrusion-detection software to pinpoint.
How to mitigate:
- Conduct extensive site surveys regularly to determine the location of all access points. Ensure that access points aren't near interfering appliances such as microwave ovens, electrical conduits, elevators or furniture.
- Plan for access-point coverage to radiate out toward windows, but not beyond.
- Provide directional antennas for wireless devices to better contain and control the radio frequency array and thus prevent unauthorised access.
- Purchase access points that have "flashable" firmware only, to allow users to install security patches and upgrades in future releases.
- Disable Simple Network Management Protocol community passwords on all access points. SNMP is used as an access-point management mechanism, and while it offers operational efficiencies, it increases the risk of security breaches.
- Set Authentication method to OPEN rather than to shared encryption key. This seems contrary because using encryption for authentication is typically preferred. However, when using the shared encryption key feature, the challenge text is sent in clear text. This could help an unauthorised party calculate the shared secret key using the encrypted version of the same text. So ironically, using the default OPEN authentication actually reduces the possibility of an unauthorised party discovering your WEP encryption key.
- Use Remote Authentication Dial-In User Service, which can be built into an access point or provided via a separate server. RADIUS is an additional authentication step. Interface this authentication server to a user database to ensure that the requesting user is authorised.
- Force 30-minute reauthentication for all users.
Risk No. 4:Traffic analysis and eavesdropping
Without actually gaining access to the network, unauthorised parties can passively capture the confidential data traversing the network via airwaves and can easily read it because it's sent in clear text. So an attacker could alter a legitimate message by deleting, adding to, changing or reordering the message. Or the attacker could monitor transmissions and retransmit messages as a legitimate user.
By default, WLANs send unencrypted or poorly encrypted messages using WEP over the airwaves that can be easily intercepted and/or altered. Currently, wireless networks are beset by weak 802.11x Access Control Mechanisms, resulting in weak message authentication.
How to mitigate:
1. Encrypt all traffic over the WLAN. There are a variety of methods to select from:
- Use application encryption such as Pretty Good Privacy, Secure Shell (SSH) or Secure Sockets Layer.
- Enable WEP, an encryption method that's intended to give wireless users security equivalent to being on a wired network but that has been proved to be insecure (its RC4 stream cipher, which is used to encrypt the data, has been cracked). Both 40- and 128-bit keys have been cracked - the 128-bit encryption only prolongs the cracking process. Despite its weaknesses, the WEP security that's built into wireless LANs can delay an unauthorised user's intrusion or possibly prevent a novice hacker's attacks entirely. (Note: The WEP factory default is OFF.)
- Require the use of a VPN running at least FIPS-141 triple Data Encryption Standard and encrypting all traffic, not only the ID and password. Segment all wireless network traffic behind a firewall and configure each client with a VPN client to tunnel the data to a VPN concentrator on the wired network. Configure so users communicate only with the VPN concentration point. Evaluate the following features when purchasing VPN technologies: interoperability with existing infrastructure, support for a wireless and dial-up networking, packet-filtering or stateful-inspection firewall, automatic security updates and a centralised management console.
2. Implement two-factor authentication scheme using access tokens for users accessing critical infrastructure.
3. Utilise 802.11x for key management and authentication standards.
4. Use Extensible Authentication Protocols.
5. Activate the Broadcast Key Rotation functionality. Set a specific amount of time (usually 10 minutes or less) on the access point; each time the counter runs out, the access point broadcasts a new WEP key, encrypting it with the old, thus reducing the amount of time available to crack the key.
6. Restrict LAN access rights by role.
Risk No. 5:Insufficient network performance
Wireless LANs have limited transmission capacity. Networks based on 802.11b have a bit rate of 11Mbit/sec while networks based on 802.11a have a bit rate of 54Mbit/sec. Media Access Control overhead alone consumes roughly half of the normal bit rate.
Capacity is shared between all the users associated with an access point, and since load balancing doesn't exist on access points, network performance can be improved dramatically if the appropriate number of access points are available to users.
Frequently, unauthorised users' intentions are to steal bandwidth rather than view and alter the data passing along the wireless network. Therefore, these unauthorised users can significantly reduce network performance for authorised users. Finally, DoS attack can disable or disrupt your operations. A DoS doesn't have to be intentional. For example, users can transfer large files that can cause a network outage.
Another unintentional DoS can occur when legitimate traffic uses the same radio channel. Conversely, a DoS can also be an intentional overflow, such as a ping flood to intentionally cause network disruptions.
How to mitigate:
1. Continually monitor network performance and investigate any anomalies immediately.
2. Segment the access point's coverage areas to reduce the number of people using each access point.
3. Apply a traffic-shaping solution to allow administrators to proactively manage traffic rather than react to irregularities.
Risk No. 6:
Because wireless networks are insecure, they're prone to attacks. Such attacks can include spreading viruses, loss of confidentiality and data integrity, data extraction without detection, privacy violations and identity theft.
How to mitigate:
1. Deploy a network-based intrusion-detection system on the wireless network; review logs weekly.
2. Use and maintain antivirus software. Push out antivirus software upgrades to clients from servers.
3. Create frequent backups of data and perform periodic restorations.
Risk No. 7:MAC spoofing/session hijacking
Wireless 802.11 networks don't authenticate frames, which may result in frames being altered, authorised sessions being hijacked or authentication credentials being stolen by an impostor. Therefore, the data contained within their frames can't be assured to be authentic, since there's no protection against forgery of frame source addresses.
Because attackers can observe Media Access Control addresses of stations in use on the network, they can adopt those addresses for malicious transmission. Finally, station addresses, not the users themselves, are identified. That's not a strong authentication technique, and it can be compromised by an unauthorised party.
How to mitigate:
1. Limit access to specific MAC addresses that are filtered via a firewall. This technique isn't completely secure, because MAC addresses can be duped, but it does improve the overall security strategy. Another difficulty with this technique is the maintenance effort required. A MAC address is tied to a hardware device, so every time an authorised device is added to or removed from the network, the MAC address has to be registered into the database.
2. Monitor logs weekly and scan critical host logs daily.
3. Use proven data link layer cryptography such as SSH, Transport-Level Security or IPsec.
Risk No. 8:Physical security deficiencies
Commonly used wireless and handheld devices such as PDAs, laptops and access points are easy to lose or to steal because of their small size and portability. In the event of a theft, the unauthorised party can compromise such devices to obtain proprietary information about your wireless network configuration.
How to mitigate:
1. Implement strong physical security controls, including barriers and guards to prevent the theft of equipment and unauthorised access.
2. Label and maintain inventories of all fielded wireless and handheld devices.
3. Use device-independent authentication so that lost or stolen devices can't gain access to the WLAN.
After examining just a few risks associated with WLANs, their high-risk nature becomes quite evident.
To moderate risks, management and systems administrators must perform ongoing risk assessments to ensure not just that they understand the risks that they face, but that they also take appropriate steps to mitigate the risks.
Overall, the greatest weakness with wireless security isn't the technical shortcomings but out-of-the-box insecure installations. This risk can be overcome with attention to detail. But remember that the human factor is the weakest link and that this risk needs to be considered when appointing a network administrator and funding suitable review procedures.
In optimistic summary, risk provides opportunity that just needs to be managed. It's an inspiration for progress and should be a welcome challenge, as long as it's given the proper consideration. w
Susan Kennedy is the information systems audit manager at the University of Pennsylvania. She has more than 13 years' experience in the IT assessment of security, computer facilities and networks; pre- and post-system implementations; and business processes and application reviews. She holds an MBA degree and Certified Information Systems Auditor and Certified Internet Webmaster certifications
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
Five trends affecting legal CIOs
CIO Roundtable: The changing face of security
Bitcoin malware count soars as cryptocurrency value climbs
Bouncing Back From CIO Unemployment
Union slams latest fibre-to-premise trial in Tasmania
Taking Managed Security Services to the Next Level
In this white paper, we will outline the changing landscape of security; the importance of a high-security posture; the elements of effective Web, endpoint, user and mobile protection; and the ways in which Webroot helps partners increase the value and profitability of their security practices.
Security in a Faster Forward World
Organizations today operate in a Faster Forward world, as they experience a shift towards an increasingly mobile workforce. Following this, an evolving stream of attackers are now targeting mobile devices where they can more easily access a larger number of high-value corporate and government assets. This paper will guide you through finding the right Web security partner that can improve efficiency while reducing risks and improving web experience.
MAM Evaluation Guide: 10 Must Haves
Your employees demand more apps, more data, more convenience—which places a major strain on IT. Satisfy both sides with a Mobile App Management (MAM) solution. Here’s a guide to help you understand the critical success factors before getting started.