Keeping a wireless network safe from product vulnerabilities

How do I secure my wireless network from specific and known product defects such as vulnerabilities in APs (e.g., Cisco Aironet AP Memory Exhaustion DoS)?

Software that runs critical wireless infrastructure can suffer from vulnerabilities just like any complex system - often with devastating effects. A single vulnerability may compromise a host or a group of hosts, but a vulnerability in an infrastructure device can lead to much more damaging effects. Your network may become unavailable at the very least and entirely subverted at the very worst.

The first step to protect against such vulnerabilities might be obvious but is one that is sometimes overlooked: keep up-to-date on vendor patches. But beyond patching, how can you protect yourself from similar vulnerabilities that may be exploited in the future?

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

How do I secure my wireless network from specific and known product defects such as vulnerabilities in APs (e.g., Cisco Aironet AP Memory Exhaustion DoS)?

Software that runs critical wireless infrastructure can suffer from vulnerabilities just like any complex system - often with devastating effects. A single vulnerability may compromise a host or a group of hosts, but a vulnerability in an infrastructure device can lead to much more damaging effects. Your network may become unavailable at the very least and entirely subverted at the very worst.

The first step to protect against such vulnerabilities might be obvious but is one that is sometimes overlooked: keep up-to-date on vendor patches. But beyond patching, how can you protect yourself from similar vulnerabilities that may be exploited in the future?

Many access point (AP) vulnerabilities are caused by problems with the access points' administrative interfaces. A great way to protect yourself from vulnerabilities that might crop up is to disable access to APs on the wireless side and employ packet filtering on the wired side to limit access to a few select management workstations. However, if a vulnerability exists at Layer 2 and is only exploitable after a station has been authenticated with the network, then there's little you can do to prevent an intruder from attacking the station.

Earlier this year came the disclosure of a DoS vulnerability in Cisco's Aironet AP that enabled attackers to prevent the device from passing traffic by sending spoofed ARP replies to the AP. In this case, the attacker would need to be authenticated with the AP, but it is not wise to trust that your users will never do anything malicious. Similar vulnerabilities are also quite problematic for APs that integrate IDS-like features. When your AP gets knocked out, so does your ability to detect attacks.

In cases like this, the only real way to assure protection is with additional security and monitoring hardware such as a wireless intrusion detection and prevention system. Such systems can monitor the airwaves for these types of attacks, and they do not suffer from vulnerabilities as your wireless infrastructure may. In addition to being able to alert you to an attack, these systems can also take preventative action to shield and contain the attack. In the case of the Aironet DoS, the IPS can detect the ARP storm, then de-authenticate and tar-pit the attacker.

Staying up-to-date on patches isn't enough. By doing just that, you are only protected against the known vulnerabilities in your wireless infrastructure. A wireless IPS gives you some level of protection against vulnerabilities that haven't been discovered or disclosed.

Waters is CTO of Network Chemistry as well as an editorial board member of the WVE.