Wireless LAN Security

Unlike wired Ethernet, 802.11 wireless transmissions cannot be contained by walls, doors, and floors. This lack of physical security makes a wireless LAN more vulnerable to interference, misuse, and attack. Enterprises that use 802.11 to expand LAN reach, replace wired Ethernet drops, and mobilize their workforce must take steps to secure those wireless LANs.

Threats

Enterprises must be protected against business threats introduced when deploying 802.11 wireless. Some of these threats also apply to enterprises that ban wireless use.

Confidentiality

Business data must be protected against eavesdropping when sent over a corporate WLAN or without permission over a public, metro-area, or neighboring WLAN.

Integrity

Because WLANs operate in unlicensed bands, available for use by anyone, business traffic sent over the air must be protected against modification, replay, and injection.

Access Control

Enterprise networks must be guarded against unauthorized use, originating from both authorized and unauthorized (rogue) wireless devices.

Authentication

For risk management and regulatory compliance, enterprises absolutely need to know and track who is using wireless to access the corporate WLAN.

Authorization

Many enterprises require not just the ability to deny unauthorized access, but the ability to grant each authorized user wireless access to appropriate resources only.

Availability

Enterprises cannot run business-critical applications over 802.11 without the capacity to monitor and ensure network availability.

Countermeasures

WLAN security measures can be used to mitigate these threats. Older measures like Wired Equivalent Privacy (WEP) are easily circumvented and not recommended. Pre-Shared Keys (PSKs) are designed for home and small office WLANs. But the following measures have the scalability and strength to secure enterprise WLANs.

Over-the-Air Security

To prevent eavesdropping, modification, injection, and replay of 802.11 data in transit, enterprise WLANs can employ 802.11i Robust Security Network (RSN) protocols:

• Temporal Key Integrity Protocol (TKIP): Uses RC4 encryption and a cryptographic Message Integrity Check (MIC). Found in enterprise-grade Access Points and Adapters with Wi-Fi Protected Access (WPA).
• AES-CCMP: Uses the Advanced Encryption Standard (AES) and Counter Mode CBC-MAC (CCMP) integrity. Found in enterprise-grade Access Points and Adapters with Wi-Fi Protected Access Version 2 (WPA2).
• Virtual Private Network (VPN): Uses a network or transport tunneling protocol like IPsec, SSL, or TLS to protect the IP or TCP/UDP payload carried by 802.11 data; leaves the header exposed to eavesdropping/change. Found in most enterprise firewalls, VPN concentrators, and some Wireless LAN Controllers.

TKIP and AES were designed to provide on-site protection for enterprise WLANs. VPN tunneling is more appropriate for off-site protection, such as in 802.11 hotspots.

Securing the Corporate Network Edge

To control, authenticate, and authorize access to an enterprise WLAN and the wired corporate network behind it, 802.11i employs 802.1X Port Access Control. 802.1X is a framework for enabling/disabling layer two access, following an optional exchange between each wired or wireless LAN Station and a central Authentication Server.

During 802.1X, the Ethernet switch or wireless Access Point relays the Extensible Authentication Protocol (EAP) between the client and server. EAP rides 802.1X/802.11 between the client and AP, and RADIUS/Ethernet between the AP and Authentication Server. EAP methods commonly used in enterprise WLANs include the following:

• Protected EAP (PEAP)
• EAP-Transport Layer Security (EAP-TLS)
• EAP-Tunneled TLS (EAP-TTLS)

EAP methods support different kinds of authentication - for example, EAP-TLS supports mutual certification authentication, while PEAP and EAP-TTLS can also support username/password or token authentication. To deploy 802.1X, enterprises must have:

• An 802.1X-compatible RADIUS Server.
• Enterprise APs that support WPA-Enterprise or WPA2-Enterprise.
• Wireless clients equipped with 802.1X Supplicant software.
• User credentials appropriate for the selected EAP method.

Enterprises may also wish to restrict 802.1X-authenticated users to authorized VLANs or IP subnets. This can be accomplished by using APs that map named WLANs onto designated VLANs, or that support RFC 3580 802.1X//VLAN tag mapping.

Securing Wireless Clients

Wireless clients must be hardened using techniques commonly employed on Internet hosts, such as personal firewall and anti-virus. In addition, enterprises cannot rely on users to configure wireless adapters with the right WLAN security parameters, or to avoid connecting to unknown and potentially risky public, metro-area, or neighbor WLANs. Countermeasures to address these wireless risks include:

• Wireless Endpoint Management Tools: Enable IT control over WLAN connection policies, including WPA/WPA2-Enterprise security parameters.
• Wireless Host Intrusion Prevention: Uses client-side agents to monitor 802.11 activity (on-site or off-site) and warn or break risky client connections.

Securing the Airwaves
As enterprises rely on WLANs to support high-value business activities, they will need to monitor and control the airwaves within their facilities. They must be able to stop unauthorized rogue APs from connecting to either the corporate network or clients. Enterprises must be able to detect Denial of Service (Dos) attacks that impede legitimate WLAN use or redirect users through malicious "evil twin" APs. Finally, enterprises may require the ability to document WLAN use, attack, and deviations from defined policy.

The following measures are available to help satisfy these enterprise needs:

• WLAN Planning/Survey Systems: These systems can identify existing wireless devices and reduce undesirable signal leakage during WLAN planning.
• Network Stumblers: Hand-held tools used to discover rogue APs by periodically walking around an office, detecting beacons broadcasts.
• Wired-side Rogue AP Scanners: Conventional network scanners that look for unauthorized wireless APs connected via Ethernet to the corporate network.
• Wireless Intrusion Detection Systems (WIDS): Distributed systems that use APs or sensors to monitor and analyze 802.11 traffic, generating intrusion alerts.
• Wireless Intrusion Prevention Systems (WIPS): Use locationing and wireless or wired blocking techniques to automatically stop misuse or attack.
• Wireless Spectrum Analyzers: Hand-held or WIPS-integrated tools that look beyond 802.11 for all sources of interference in the 2.4 or 5 GHz band.

Additional resources

IEEE Std 802.11i-2004, IEEE Standard for Local and metropolitan area networks - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications Amendment 6: Medium Access Control (MAC) Security Enhancements.

IEEE Std 802.1X-2004, IEEE Standard for Local and metropolitan area networks - Port-Based Network Access Control (Revision of 802.1X-2001).

Real 802.11 Security: WPA and 802.11i, Arbaugh and Edney, ISBN-10: 0321136209, Addison-Wesley, 2004.

Certified Wireless Security Professional Study Guide, 2nd Edition, Planet3 Wireless, Carpenter et al, McGraw-Hill Osborne Media, 2006.