WLAN security: Users face complex challenges

Best practices in WLAN security hinge on your specific security needs and the technologies you choose to satisfy those needs.

Not long ago, the complaint heard about wireless LAN security was that there wasn’t enough of it. Now there’s almost too much.

Network executives today face a bewildering number of approaches to solve what’s been a consistent hot-button issue for them. As a result, once you get past some basic recommendations, best practices in WLAN security hinge on your specific security needs and the technologies you choose to satisfy those needs.

“The right question to ask is not ‘which one’ [of these security products to choose], but ‘how do I best meet my specific security needs?'” says Brian Mansfield, founder of The Mansfield Group, a consulting and training company specializing in WLAN security. “It becomes obvious to these decision makers that there is no one good solution. Each of them has their pluses and minuses.”

WLAN security adds a level of complexity to corporate networks. “The security skill sets [for companies] are more and more critical today than ever before,” says Tim Stettheimer, CIO for St. Vincent’s Hospital, a 338-bed hospital in Birmingham, Ala., which has a site-wide WLAN of about 170 access points.

“You have to be extremely aware of what your network is designed to be and [then] design your [wireless] security to correspond to that,” he says. “This is one of the most complex issues in IT today.”

Wireless experts and network managers quickly can run off a basic set of routine, low-level steps to help secure WLANs. These typically include:

• Turning on basic Wired Equivalent Privacy (WEP) encryption for all access points.

• Create a list of media access control (MAC) addresses that are allowed to access the WLAN.

• Use a dynamic encryption key exchange method as implemented by various security vendors.

• Keep software and patches on access points and clients up to date.

• Create access point passwords that can’t be guessed easily.

• Change the Service Set Identifier on the access point, and block the SSID broadcast feature.

• Minimize radio-wave leakage outside your building through access point placement and antenna selection.

Even this basic group of security practices isn’t set in stone. MAC address access lists quickly become unmanageable, as WLANs grow beyond a few score of access points. Vendor-specific dynamic key exchange methods typically bring a set of trade-offs that you need to weigh before buying into that vendor’s products, such as what client operating systems are supported.

Keeping software up to date on access points means you already have such a program in place for your computers and network gear. The WLAN devices become incorporated into that existing security defense.

Wireless security practices need to fit with existing enterprise security architectures, even as they address unique issues: securing radio transmissions or handing off authentication and access privileges as a user moves among different access points.

As Microsoft began deploying its internal WLAN last year, one of the corporate mandates was for wireless security to be based on Microsoft’s public-key infrastructure (PKI). PKI is a set of security services for authentication, encryption and digital certificate management. “PKI is a significant investment,” says Don Berry, senior network engineer with Microsoft’s operations and technology group.

To use PKI, a laptop user powers up the wireless network interface card, which associates to a closed port on a nearby access point. Before being allowed onto the network, the user is authenticated via a RADIUS server and domain controllers. Only then does the access point open a port to the network.

Microsoft first deployed WEP encryption, even though engineers knew WEP was not a long-term solution. Microsoft worked with Cisco to burn or load the WEP keys into the adapter card firmware, to minimize the number of people who could have access to them.

Then the operations group began working with Microsoft’s representatives at IEEE, where a working group was drafting the 802.1x port-based authentication standard, which uses the Extensible Authentication Protocol (EAP) framework. They also began working with Cisco to create a specific EAP method called Protected EAP (PEAP); and with the Windows development group to incorporate these into the Windows XP operating system.

Not everyone enjoys these kinds of resources and partnerships, Berry points out, not to mention what he called the “pure, homogeneous desktop [and laptop] environment.”

As in many other large deployments, Microsoft’s best practices reflect the idea of defense for WLANs. “We scan every MAC address every 30 minutes,” Berry says. The data is dumped into a database for analysis. If an unauthorized address is found, the port it’s using is shut down automatically.

St. Vincent’s blends routine low-level practices such as blocking SSID broadcasts, coupled with practices such as regular perimeter checks of the airwaves using Fluke Networks’ OptiView network analyzer. This handheld device analyzes radio waves, and can detect unauthorized access points for clients. Data can be transferred for storage and analysis to a companion program running on a Windows PC.

The hospital uses Wavelink’s Mobile Manager software for administering WLANs. The software can detect any change in an access point’s configuration. “The software compares the required configuration with what’s actually there,” Stettheimer says. “MobileManager will change it automatically to match what it should be. Then it sends an alert to the administrator.”

Wireless authentication relies on the hospital’s existing RADIUS servers. But St. Vincent’s has taken this a step further, marrying authentication with virtual LANs (VLAN). VLANs group clients logically, based on criteria such as department, type of user or application, on top of a physical network infrastructure. “Once you are authenticated to the RADIUS servers, the access point associates your wireless card with a virtual LAN,” Stettheimer says. By doing so, users logging on, in effect, inherit a given set of network services, resources, access privileges and so on.

“The security trend now is to segment your user groups, and then apply [to the group] specific security technologies that are appropriate to each group,” Mansfield says.

According to Mansfield, security practices in corporations tend to be coalescing around products from a fast-growing and young group of vendors. They include products from security controller companies such as Bluesocket, ReefEdge and Vernier Networks, to new WLAN switch builders, such as Airespace, Aruba Wireless Networks, Trapeze Networks and Vivato, and VPN vendors such as Columbitech and Ecutel that focus on wireless networks.

But security practices will have to be thought out in terms of the trade-offs that each product brings with it. “Some of these products have very dense feature sets,” Mansfield says. “Others are designed to plug in [to a WLAN] and be set up quickly, but their functionality is much more limited.”

As a result, wireless security practices will have to take into account things such as how much user interaction is needed, what tech support resources are needed, what is the compatibility between different types of EAP methods, and how does authentication via 802.1x with vendor-specific VPN authentication schemes compare.

Some users welcome the possible end of what one called “frankenparts” – cobbling together a security architecture and a set of best practices based on products from several vendors. But others see the multiplicity of choices as a benefit. The numerous choices compel a systematic security approach that uses existing resources while being flexible enough to meet new standards.