Ways to make your wireless net more secure

Q: I just inherited a major 802.11b deployment. I have no budget – what are the top 3 to 5 things I should do to ensure the network is secure? Joe – Seattle

The Wizards gaze deeply into their crystal ball and respond:

Pat Calhoun, Airespace

There is no “one-size-fits-all” approach to wireless security. Every individual enterprise requires its own comprehensive framework that addresses all facets of wireless networking, from the radio frequency physical layer to the protection of key business-critical applications. The best solution is a mix of well established industry standards, such as 802.1x, Wi-Fi Protected Access (WPA), and IPSec, combined with innate WLAN infrastructure capabilities, such as real-time monitoring for intrusion protection. The trick is understanding what security risks to look for, and knowing how best to address them in your enterprise environment. Below are some common things to consider:

• Does your WLAN system support security policies for heterogeneous users? How are the security approaches integrated? For example, can the same access points support multiple networks, such as an open “guest” network alongside an employee network using higher level encryption?

• Can you apply wired security policies to your wireless network? Are you reinventing the wheel? It is often extremely useful to map existing security schemes, such as virtual LANs, access control lists (ACL), and back-end authentication services (e.g., RADIUS) in your wireless network. In some instances, you may even want to leverage firewall and intrusion protection services. But, beware of WLAN products that offer a subset of what traditional security solutions offer, and require you to create completely separate security policies for wireless users. You do not want a false sense of security by deploying a scaled down firewall on your WLAN switch. In addition, and perhaps more importantly, users expect a seamless experience across wireless and wired networks. It might not be practical to have IT staff manage, update and control separate policies for both environments.

• Can your WLAN address security threats in real-time? A wireless network should be able to monitor the air space in real-time and detect malicious or unauthorized activity, such as rogue devices, attack signatures, excessive sources of interference, etc. Ideally, this functionality will be built into the access points themselves to avoid the need for handheld scanners, or separate overlay monitoring devices, which add cost and complexity. Your WLAN security system should place a high emphasis on eliminating false positives, as these have a tendency to increase cost and can ultimately affect overall security if your administrators get in the habit of ignoring valid attacks.

• Can you accurately locate the source of security risks? Location tracking is extremely important in wireless networks. In the Ethernet world, you can isolate problems back to a switch port. This is not viable in a WLAN, where devices are mobile. Make sure your WLAN has the ability to not only detect wireless security threats, but locate them for better problem resolution. In addition, location-based access control can provide a higher order level of protection. The higher the accuracy of the location-tracking software, the better, to avoid unnecessary wild goose chases. Avoid systems that only leverage RF triangulation, as they do not account for multi-path, limiting their effectiveness in many indoor environments.

• Will your WLAN support future innovation and changes in 802.11 security standards? This is pretty self-explanatory. Ask your vendor what the migration path is to future standards, such as 802.11i. One thing to examine is where encryption takes place – in the access point or in the switch. This might affect whether access points will need to be replaced down the road to support some of these emerging standards.

Most enterprises have gotten over the trepidation associated with WLAN security that existed a year ago (when WEP was first broken). With well-established authentication and encryption standards coupled with very specific RF security tools, many CIOs feel that wireless networks have actually become more secure than their wired counterparts. Think about it – your wireless network is constantly checking itself to prevent malicious activity – what protection does your wired network provide once someone is inside your firewall?

Keerti Melkote, Aruba Wireless Networks

This is a common scenario. First, understand that no network is secure – networks, like anything else, are either more secure or less secure. Fortunately, there are a number of things that can be done to make the network more secure:

1. Ensure that some form of encryption is in use. This can be as simple as WEP, but ideally should be something stronger such as IPSec or Temporal Key Integrity Protocol (TKIP). If you have a VPN infrastructure in place for Internet-based remote access, consider using it for wireless also by putting access points outside the firewall and forcing users to establish VPN tunnels. If you use VPN technology for wireless, ensure that some form of link-layer encryption (such as WEP) is in place.

2. If you use WEP, find out if devices in your network generate weak WEP initialization vectors (IV) – the primary means by which attackers can crack WEP keys. Tools such as AirSnort or WEPcrack (both open-source tools for Linux) will provide this information. If your equipment does generate weak WEP IVs, check with the equipment manufacturers for firmware updates to fix the issue.

3. Consider authenticating users on the wireless network. While advanced authentication schemes such as 802.1x and WPA are widely available, they may not meet the “no budget” requirement. However, a mid-range Linux server running Web portal software such as nocat may do the trick.

4. Disable broadcasting of your Extended Service Set ID (ESSID). This is not a security technique per se, since anyone can discover the ESSID through simple monitoring. It does, however, discourage the casual war-driver looking for free Internet access.

5. Resist the temptation to use techniques such as MAC address filtering or RF engineering to reduce signal “bleed.” These techniques have minimal impact on security relative to the amount of work they require to implement.