Chapter 7: Security and Wireless LANs

Cisco Press

The purpose of this chapter is to provide you with enough information to tackle the challenge of securing your WLAN infrastructure. This book repeatedly mentions the need for a security posture because security in your network is only as strong as the weakest link. This chapter provides an overview of key security components in WLANs, fundamental security vulnerabilities, key WLAN security standards, and security management challenges.

Wireless Security in Your Enterprise

The fundamental premise of security in networked environments is that no network is truly secure. Even a network that is not connected to the Internet can be compromised if physical access can somehow be obtained. This point further drives home the point that there is no perfect way to secure a network.

To approach security, you need an awareness of the components that determine how to secure your infrastructure while maintaining an attitude of elevated paranoia. You should always assume that at some point in time there will probably be an attempt to break into your network with the goal of compromising intellectual property or disrupting your business.

Attacks don't necessarily come from the outside. Research from the Computer Security Institute (CSI) and the FBI has shown that most security attacks come from the inside of an enterprise: (http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml). (The document is free after registering at the CSI website.)

These attacks can be intentional, such as a disgruntled employee, or unintentional, as in the case where a computer is infected by a virus. The unintentional act is more likely to happen and probably more destructive. Armed with this state of healthy paranoia, you can strike the delicate balance between how much you invest to secure your infrastructure and the degree of difficulty an attacker needs to overcome.

Thinking Securely

The broadcast nature of a wireless network effectively raises the importance of authentication, encryption, and hashing. Starting with Authentication, you want to be sure that only permitted parties can communicate with your APs. Because you are effectively broadcasting your message over the ether, everyone can potentially hear every communication. Encryption is, therefore, needed to ensure communication privacy. Finally, the broadcast environment makes it relatively easy to capture, modify, and resend a message. Hashing your messages will address this problem.

Literature on information security typically uses the example of communication between two people. This section does the same, using the example of communication between Tony and Kelly. The specific security challenges that Tony and Kelly face when communicating are

  • Tony and Kelly need to know that they are indeed communicating with each other. This is known as authentication of the communicating parties.

  • Tony and Kelly want to be sure that only they can interpret the message exchange. Encrypting the messages into ciphers that only Tony and Kelly can decipher achieves this goal. Keys are used to lock and unlock the messages. These keys can be static or dynamic, and symmetric or asymmetric (Public/Private). The combination of the respective key characteristics determines how secure the solution is but also the computational cost.

  • Finally, Tony and Kelly want to be sure that the messages have not been tampered with while the messages were in transit. This is achieved by attaching a checksum (hashing) to the message that is recomputed and compared upon receipt. If the checksum is the same, the messages have not been tampered with.

It is not impossible to ensure secure wireless communications. Securing WLANs is possible if done correctly. However, heightened awareness is required to ensure that you don't overlook a critical component and thus create a back door.


Note - It might not be possible for you to think like a hacker, but it is not necessary, either. What is important is to establish a security posture that identifies the parts of your network (or information that passes through it) that are most sensitive and need protection.


Different Security Models

Depending on how you decide to combine the security elements mentioned in the preceding section, different security models are appropriate. This section describes the most commonly adopted models, which include the following:

  • No authentication, encryption, or hashing

  • Native encryption only

  • Native authentication only

  • User-based authentication

  • Machine-based authentication

  • Native encryption and authentication but no hashing

  • Authentication and encryption using overlay security solutions

No Authentication, Encryption, or Hashing

By providing no method of authentication, encryption, or hashing, your network is most open to attack. However, an attack doesn't necessarily mean that an individual wants to break into your network with malicious intent. It can also mean that an individual inadvertently attaches to your WLAN and uses your network resources.

Even though this model leaves you most open to unauthorized use of your WLAN, sometimes you will choose not to authenticate users or encrypt data. One such situation is when you want to provide your guests with WLAN connectivity.


Note - On occasion, little or no WLAN protection is available for proprietary devices or unique operating systems.


Native Encryption Only

Because WLANs use radio as a transmission medium, the first line of defense—physical medium control and containment—as offered by wired networks is not present. Indeed, LANs are somewhat protected by their physical structure, with some or all parts in a building or underground. To provide some kind of physical isolation similar to wired LANs, the 802.11b standard defined the Wired Equivalent Privacy (WEP) security protocol. WEP intends to provide some degree of privacy by encrypting the information between the radio endpoints.

Because WEP was designed when WLANs were in their infancy, it is not surprising to see that WEP turned out to be less effective than initially expected. WEP does not provide true end-to-end security because it only operates at the two lowest layers of the OSI model: the physical and data link layers.


Note - Any time you expose a standard to the general community, you risk compromising the standard because hackers can reverse-engineer the standard to develop an exploit.


In addition, WEP uses a static symmetric key to encrypt the data. The key's static nature is a challenge because key management becomes complicated and a vulnerability is created that propagates to other parts of the security chain. Key management challenges include

  • Distributing keys

  • Supporting timed changes

  • Determining how to address the physical loss of end devices

Finally, WEP employs a key length of 48 or 128 bits. Given the continued and accelerated growth in computing power, standard desktops are now capable of quickly breaking these keys through exhaustive searches.

Native Authentication Only

Authentication and authentication protocols control access to a network. Keep in mind that authentication does not secure the data that is transmitted on the network. Authentication protocols are designed to ensure that the user or device that is attempting to communicate is indeed whom it claims. It is analogous to a secured door in a large office building. By swiping your identity card, you are "authenticating" yourself. If the card is permitted access, the door is unlocked. Note that in this analogy, the card is authenticated, not the person carrying the card. Furthermore, the ID card does not provide security after you're inside the door. As such, you can make the distinction between two forms of authentication: One is authentication of the user, and the other is authentication of the device.

User-Based Authentication

User-based authentication is probably the most common form of authentication deployed in today's enterprises. Users are given a password that only they are supposed to know. A system challenges the user to provide a username and password. After the pair is checked against a corresponding database, the user is either granted or declined access.

This method's considerations and challenges include password strength and password management. Because in-depth coverage falls outside of the scope of this book, refer to other resources, such as Security and Usability: Designing Secure Systems That People Can Use by Lorrie Faith Cranor and Simson Garfinkel (O'Reilly Press, 2005), if you are interested in learning more.

Machine-Based Authentication

Machine-based authentication goes a step further and verifies the identity of the devices that attempt to join your WLAN. Machine-based authentication is credential-based with the credential hard-coded in the device. This credential is a password of sorts for the machine. Like a person, the machine must be registered to be able to use the network. This credential is either derived or stored locally, or it can be dynamically assigned.

These methods will vary in complexity, but all are tied to an authentication service that is present in the core infrastructure.

Native Encryption and Authentication But No Hashing

The most common mechanism used by enterprises to secure WLANs is the incorporation of both encryption and authentication. Both can be provided in numerous ways. Authentication and encryption have evolved to combat numerous attacks, vulnerabilities, and protocol shortcomings. This evolution has also increased their complexity.

Data encryption can be achieved in many ways. Encryption can be performed using either symmetric or asymmetric, that is public/private, key pairs, and the keys can be either statically or dynamically assigned. Asymmetric keys are typically harder to break because it requires more computational horsepower. Similarly, dynamically assigned keys generate more computational overhead. However, the automation greatly simplifies key management. As the computing power of clients has increased, the encryption on the WLAN has evolved from the simple but hard to manage WEP to complex but easy to manage certificate-based key pairing. The later section "Encryption" will go into more detail on this subject.

Authentication and Encryption Using Overlay Security Solutions

Overlay security solutions employ higher levels of the OSI model to secure communications. Even at these higher levels, the same basic security features exist: encryption, authentication, and hashing. However, given the availability of additional information and embedded intelligence, the result is a higher degree of security sophistication. As such, Virtual Private Networks (VPN) and generic routing encapsulation (GRE) tunneling provide a more secure form of end-to-end communications. Both solutions work on the premise that a secure virtual communications tunnel is constructed between the communicating endpoints through which all data is securely sent. The use of an overlay security solution can sometimes cause disruption because the "tunnel" is a virtual point-to-point connection that needs to be reestablished anytime the connection is broken. Overlay solutions can also cause an added burden to the user or administrator. The user must complete an additional layer of security (setting up a VPN), and the administrator needs to manage all the virtual tunnels.


Note - GRE tunnels are not the means of encryption—they are only the logical manner in which encrypted traffic is routed in the network. For the GRE tunnel to be encrypted, it requires an underlying protocol, such as IPSec or 3DES. Both are commonly used for encryption today.


No WLAN

Although it is not practical, not allowing the use of WLANs is one way to consider handling the issue of security. This book is an advocate of deploying WLANs when they make the best business sense. In this case, "no WLAN" should mean "No WLAN at this time."

WLAN Security Threats

The nature of wireless communications makes defending against attacks very difficult but extremely necessary. Threats come in many forms. The vulnerability and exposure of your network comes from inside and outside your network. Arguably, the internal troubles typically outnumber the external threats.

Security threats surface as disruption in service, unintentional leaks, and industrial espionage. Both professionals and amateurs carry out attacks against WLAN security shortcomings, which is facilitated by a plethora of publicly available tools. Even then, it might not be a person but rather a byproduct of a careless design. The following describes three profiles of people who can compromise a network.

Related:
1 2 3 4 5 Page 1
Page 1 of 5
Take IDG’s 2020 IT Salary Survey: You’ll provide important data and have a chance to win $500.