Chapter 7: Security and Wireless LANs

Cisco Press

1 2 3 4 5 Page 5
Page 5 of 5
  1. Change default SSID—Your access point will come with a default SSID when you install it. Change this as soon as possible to avoid the compromise of the AP.

  2. Disable SSID broadcast—Access points broadcast their SSIDs by default. This is not necessary for most home wireless networks. Disabling this feature will not allow neighbors to easily discover your home WLAN.

  3. Enable WPA-PSK—Most access points now support WPA-PSK (Wi-Fi Protected Access – Pre-Shared Key). This encryption and key management standard greatly increases the security of your home wireless network. WPA-PSK is configured on both your access point and any devices you use on the wireless network (desktop and laptop PCs, and so on). As it is configured by using a shared secret on all devices. Create a shared secret that is at least 20 characters long and not easy to guess.

  4. Change the default admin login password—Change the default password for the admin account on your access point to avoid Step 4. unauthorized users gaining the administrative access that allows configuration of the AP. The default password is well known and hence it defeats its purpose. Change it to something only you know or will remember. Choose a strong password and not one that is easy to guess such as "password" or "1234".

  5. Change default IP address—Access points come pre-configured with a particular IP address when they are installed. Typically, it is 192.168.1.x (where x is a number between 1 and 254). Most hackers are familiar with these IP addresses. You should change this value and choose an IP address in the range 192.168.x.1 (where x is a number between 2 and 254 to make it harder for a hacker to infiltrate your network). For example, you could change the default IP address to 192.168.153.1.

  6. Reduce DHCP scope—Home wireless access points usually act as Dynamic Host Configuration Protocol (DHCP) servers. This means they provide your desktop or laptop with an IP address when requested. Most access points provide IP addresses from a "pool" of available numbers. This pool can contain up to 253 IP addresses. Because you are likely to have only a handful of devices requiring an IP adress, consider reducing the DHCP pool number. For example, if you have only a single laptop you want to use on your home WLAN, you could reduce the DHCP pool to only one or two addresses. This change will reduce the risk of unauthorized users from accessing your WLAN.

  7. Reduce transmit power—Most access points transmit at the maximum power possible when initially installed. This sometimes has the unwanted result of expanding the coverage of your home wireless network outside or into neighboring areas. Reduce the transmit power to provide only the coverage you require.

  8. Use static IP addresses—Assigning individual IP addresses to end devices and disabling DHCP will help control who has access as you limit the possibilities for unwanted people to access your network.

  9. Enable MAC address filtering (advanced and optional step)—It is possible to configure most access points with a list of MAC addresses that are the only ones permitted to use the WLAN. With this technique, you effectively "filter" the network and only allow the devices with the MAC addresses you select. This technique helps prevent unwanted users from accessing your home wireless network. Be sure to select the correct MAC address (the one of your WLAN NIC) if your computer has more than one network interface.

  10. Disable web access (advanced and optional step)—You can disable web access on your access point. By doing so, attackers cannot log on or configure your access point using a web browser. Note that this means you also will be unable to log on to your access point and will have to use the command-line interface thereafter. Therefore, this option is suitable only for advanced users.

Determine How to Support and Secure Mobile Devices

Mobile devices such as PDAs and "smart phones" present their own security challenges. A policy and support plan for these devices is recommended for every corporation. If you choose to support these devices on the wireless network, you should ensure that they, like the rest of your client devices, are detailed in your security posture statement. Many issues will need to be addressed including, but not limited to, the following:

  • What OS is supported (PalmOS, PocketPC, and so on)?

  • What wireless client software is required?

  • Can user IDs and passwords be cached on the device (a common but very risky attribute of these devices)?

Determine How to Support and Secure Clients

One of the most difficult aspects of an effective and successful WLAN deployment is client management. This ability to control—both physically and logically—the expectations and capabilities of client devices is paramount. The threat of a client performing actions that mimic an AP is serious because this is sometimes the cause of DoS attacks. To mitigate any possibility of the client device being the weak link in the security of the WLAN, there also must be active control as to which clients are supported and what their abilities are.

Manage Clients and Client Attributes

Beyond developing a policy and list of supported client devices, the policy needs to outline attributes of the devices. Controlling these attributes helps to ensure that devices not supported in your security policy are not permitted on the network, thereby strengthening your overall security posture.

You should consider the following three aspects of a client device:

  • Platform—Define what platforms are supported. This not only includes the make and model but also specific wireless adaptor cards that client devices may use.

  • OS—Specify a list of supported operating systems and the particular revision level. This will not only ensure a consistent and uniform security posturebut also make it easier for your operations staff to isolate problems as several degrees of variability are removed.

  • Client software—Define a single common wireless client software application. This can be as simple as selecting the native client capabilities in the operating system (Windows XP Wireless Networking, for example), the client software provided with mobile devices and laptop computers, or a standard third-party client for use across all devices (such as that offered by Funk or Meetinghouse).

Anti-Virus

Although not specifically a wireless issue, user laptops and desktops should be provided with regularly updated anti-virus software. WLANs, just like any network, can propagate viruses if the client devices are not configured with appropriate software.

Soft AP

Some wireless software is available that allows a laptop or desktop computer to act as an access point. This software-enabled access point or soft AP is considered a major threat because it is usually a trusted device. The soft AP creates the same security threat as the unauthorized installation of rogue access points. In some ways the soft AP can be a more dangerous threat because many hackers will use them to stage attacks. As the successful hacker can turn any computer in an AP, he is not tied down anymore by the physical placement of regular APs. In essence, the soft AP could enable a hacker to place an AP wherever there is a computer. As such, we recommend that you disallow the use of this software capability and make it very clear in your wireless security policy that such software is unacceptable. Actively detecting soft APs is very difficult and this is another reason why radio-based rogue access point detection is of critical importance.

Disable Ad-Hoc Mode Networking

Although this is primarily a policy decision, depending upon the wireless client software you use, it may be possible to disable ad-hoc networking. Some client software allows you to disable certain functions using centralized administration tools.

Detect Rogue APs

Rogue access points are access points that are located within your enterprise and that were not installed by your IT department or approved vendors. They present a very serious security threat when connected to your network as they are improperly configured with little or no security settings.

A robust rogue AP detection system is critical for any secure wireless network. Indeed, rogue AP detection is critical because there is no such thing as a "non-wireless" network anymore; if you haven't deployed a WLAN, you can only assume that there is no WLAN as staff are purchasing cheap access points and installing them themselves, often without realizing the security implications.

It should be noted that the vast majority of rogue access points come from your own users, and only a small minority are from malicious hackers. Most user-installed rogue APs are not intended to compromise security but are attempts at benefiting from wireless networking without realizing the risks of poorly configured devices. If you have a comprehensive entitlement policy and wide coverage area, you will reduce the likelihood of rogue APs being installed in the first place.

Detecting rogue access points can be challenging. A combined approach of client-based reporting, radio-based detection, and network scanning is the best method.

Client-Based Reporting

Client-based reporting can be as simple as asking your users to report suspicious access points to the IT department. These can be nonstandard (enterprise) AP models, APs in unusual locations such as hidden under desks, and consumer-grade access points on desks or in cubicles. This reporting will allow your IT team to investigate and address the threat if it turns out to be real.

Additionally, some solutions now available on the market allow for wireless clients, such as laptops, to actively and automatically report a list of access points they have encountered to back-end management system. This reporting is entirely transparent to the user, but it allows your wireless management framework to construct a picture of all the access points in your enterprise. If an access point is reported but is not listed or managed by your network management system, there is a chance that it is a rogue.

Radio-Based Detection

Radio-based detection uses your own access points, or dedicated scanners, to actively monitor the RF spectrum and report all radio devices they detect. Effectively, your access points are "auditing the airwaves" and drawing up a picture of the radio frequency use in your enterprise. Most of the leading manufacturers provide radio-based rogue access point detection services with their products. These often have the advantage of providing you with a graphical representation of what your radio network looks like, using floor plans and colored cells or clouds to represent each 802.11 cell.

Radio-based detection can also be carried out manually by IT staff using handheld wireless network analyzers or laptops with software designed specifically for this purpose. These include popular tools such as AirMagnet, Kismet, and AirSnort.

Network-Based Detection

Network-based detection is the third essential pillar of a robust rogue access point detection system. Network-based detection uses internally developed or publicly available tools to scan the wired network for devices that match a particular signature or "fingerprint." These devices scan for familiar MAC addresses, specific open TCP ports, and particular protocols and processes that might be running on a device. These tools can even attempt to log on to the device and note its response. By combining several criteria and automating the process into regular scripted jobs, network-based reporting can quickly produce a list of suspicious devices. Your IT department can then use this list to investigate the devices and act accordingly. One of the most popular publicly available pieces of software that can be used for this purpose is WinFingerPrint (http://winfingerprint.sourceforge.net/).

Respond to Detected Rogue APs

After you have identified a rogue access point, you need to act. The potential responses can be categorized under three headings: remove, reclassify, and remediate.

Remove

You can remove the rogue access point from the network. You can achieve this by disabling the network switch port to which it is attached (if applicable), or you can confiscate the device or instruct the owner to comply with your IT polices and power-off or remove the rogue access point. If the device is not physically within the confines of your enterprise, you might need to "work around" the problem and reconfigure some of your access points to remove the interference and contention.

Reclassify

You can reclassify many rogue access points, especially those identified during the initial discovery phase, as friendly and therefore no longer a security risk. Friendly APs can be those that are internal to your network, such as those in labs. Conversely, friendly APs can be external, such as those in shared office spaces where another company manages and controls the APs. Keep the knowledge of the function or ownership of these friendly APs for reference later when you audit rogues.

Remediate

Finally, you simply might want to remediate some rogue access points and ensure that they are supported by your IT department and have the correct configuration. This choice can be due to a valid requirement for WLAN coverage in a particular area, or it simply can be due to a bad configuration in an access point that was officially supported.

Consider Using Intrusion Detection Systems

Many corporations opt for dedicated wireless intrusion detection systems (wireless IDSs). Many leading wireless equipment manufacturers also provide this service with their solutions. Wireless IDSs are a more advanced and dedicated approach to radio-based rogue access point detection. They often use dedicated "scanners" (often access points themselves, but sometimes cheaper scan-only devices) and specialized software. They can also be used to detect client behavior that you might want to prevent, such as the creation of ad-hoc wireless networks and client-to-client file-sharing networks.

Wireless IDSs provide a very good level of security and are often used by corporations that want to restrict or ban the use of wireless networks entirely. However, every large-scale enterprise-class network can benefit from the added security they provide.

Summary

This chapter outlined the many threats to security that happen both intentionally and unintentionally. These are vulnerabilities that you can avoid through proper planning and education. Today's threats include the interception of encrypted data and denial of service attacks. This potential negative business impact has created a great deal of emphasis on security practices, protocols, and the ability to protect against malicious attacks. The risk, however, does not stop there—considerations in the policy and methodology of WLAN security protection must also act as a defense against casual or incidental acts that result from the unaware employee or user.

Today, WLAN security is built on identification of the client, authorization of the user, and encryption of the data. Because wireless communication cannot be perfectly confined to an area, this three-tiered security framework is essential for protecting the WLAN. 802.1x is the foundation framework for the authentication process and is aided by EAP. Over time, many different standards have evolved with the intent of protecting the WLAN. Currently, 802.11i has become the newest standard being specifically developed for the WLAN to address security. WLAN security will continue to be one of the foremost considerations when building a WLAN solution for the enterprise. This chapter covered the fundamental information needed to develop a holistic and robust security plan for the WLAN.

The WLAN must be protected through preemptive actions. This begins with building standards based on best practices for the configuration of the client and AP. Further efforts are put into securing the physical space, monitoring for rogue APs, and taking charge of the airspace. Underpinning all these efforts is the ability to provide client education and to ensure that the integrity of the network remains intact by thwarting accidental events.

Finally, you should be able to place as much trust in the security of the WLAN as you would with the traditional wired network. No solution is infallible, but with proper planning, education, and monitoring, you can feel safe with whichever solution you deploy.

Copyright © 2007 Pearson Education. All rights reserved.

Learn more about this topic

 
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2008 IDG Communications, Inc.

1 2 3 4 5 Page 5
Page 5 of 5
IT Salary Survey: The results are in