Build a secure enterprise WLAN
Got 200 access points to look after? Keep them secure with our nine-point plan.
By John Cox, Network World | Published: 00:00, 01 December 2003
In August, engineers with AirDefense, a wireless LAN security software vendor, made "war drives" in Atlanta, Chicago and San Francisco, using scanners to find WLAN access points around downtown office buildings.
The drivers discovered more than 1,100 access points. Of these, 57 percent weren't using any form of data encryption, although most of the actual data traffic in Chicago and San Francisco was encrypted by other means, such as VPN. Three-quarters of the access points were broadcasting their Service Set Identifier (SSID), which is like hiding in a game of hide-and-seek while carrying a boom box blaring heavy metal.
WLAN kit is inherently unsecure as it comes out of the packing box. But the final WLAN security system you create will hinge on what data you want to protect, how valuable it is and the level of risk to that data. Good WLAN security is expensive: in time, training, maintenance, oversight and in hardware and software costs.
The following recommendations assume an enterprise WLAN of 150 to 500 access points, up to several hundreds of users and a relatively high requirement for protection. Read our introduction to wireless security issues for an overview.
1. Control the wireless clients.
Standardise the WLAN network interface cards (NICs), block user access to them, and register their media access control (MAC) addresses.
Create and enforce procedures and policies for promptly updating clients with software patches and security updates, and for blocking clients running out-of-date software.
Consider disabling NICs' ad hoc or peer-to-peer mode, which lets clients connect to each other without an access point. Attackers can use this feature to lure or force clients to associate with a rogue WLAN.
2. Treat the WLAN as you do the Internet - as untrusted.
Put a firewall between the WLAN and the wired network. This barrier blocks unauthenticated WLAN users from sending Layer 2 packets on to the wired network, for example, as part of an Address Resolution Protocol (ARP) attack. A successful ARP assault lets the attacker route traffic between two computers on your network through his own computer.
3. Protect the access points.
Conceal access points behind ceiling panels or in closets, and secure them to prevent tampering. At one university, someone pulled out the PC Cards from more than 100 access points and tried to sell them on eBay.
Hide access points from attackers by changing the factory default settings for the SSID or IP address information, creating difficult passwords, and turning off SSID broadcasting.
Turn on Access Control Lists for use with client MAC addresses.
Select access points that use flash memory, to simplify future upgrades of security patches and of still-developing security standards.
Consider buying access points that let you create virtual LANs (VLAN). VLANs let you group users and give the groups access to different network resources. VLANs also let you separate management traffic from user traffic.
4. Prevent radio waves from "leaking" out of your site.
You can "shape" radio waves by replacing the standard omni-directional antenna with a directional antenna, especially on the edges of your site.
Another technique is to adjust the power levels of the radios. Using less power means the signal doesn't reach as far.
5. Update NICs and access points with WPA, but don't rely solely on it.
Wi-Fi Protected Access (WPA), an interim security level before release of the upcoming IEEE 802.11i standard, fixes a number of problems in the original 802.11 encryption scheme called Wired Equivalent Privacy (WEP). See our feature here for more details.
Among other things, WPA supports 802.1x, which was originally created as an IEEE standard for port-based authentication on wired networks.
But WPA still uses what's called a stream cipher to encrypt wireless traffic, instead of the more powerful block ciphers. Block ciphers are used in Triple-DES and, especially, the Advanced Encryption Standard (AES). AES will be part of the 802.11i standard and likely will require new WLAN hardware that's been revamped to handle the additional processing load.
Make sure the cipher scheme that you choose encrypts the packet's payload.
6. Use a VPN.
VPNs, with IP Security (IPSec) or Secure Sockets Layer (SSL) encryption, are still widely seen as the best protection, although there are an array of limitations: handling only IP traffic and not AppleTalk or IPX or other protocols, installing code on client devices (for IPSec VPNs), forcing users to reauthenticate when moving between access points, bandwidth-intensive operation, administrative overhead, and greater complexity as the size of the WLAN grows.
But VPNs are well understood and are often already part of the enterprise for remote access. They create secure, end-to-end encryption, authentication (often via RADIUS servers) and access control.
7. Complement the VPN with a third-party wireless security controller.
On the market for about two years, security gateways solve some of the problems of using VPNs for WLANs. Many incorporate firewalls and VPN termination, support roaming among access points and across subnet boundaries, and centralize security administration.
Controllers can run an array of encryption and authentication schemes, and vendors are adding in the emerging standards such as 802.1x and one or more of the Extensible Authentication Protocol (EAP) methods that 802.1x can support.
A range of these security features are also found in WLAN "switches", devices that combine a centralised box - which applies to WLAN traffic the management, control and provisioning features found in wire-line switches - with companion, highly simplified wireless access points. (See our discussion of wireless architectures).
8. Plan for 802.1x authentication.
VPNs for WLANs will be supplanted by the gradual implementation of 802.1x authentication and the other elements in the IEEE 802.11i standard, such as better encryption, and management and distribution of encryption keys.
But some early adopters of 802.1x are running into problems: overloading the processing power of the access points, complicated troubleshooting, and lack of 802.1x support in various client operating systems and NICs. Their experiences suggest that 802.1x implementations will be gradual as vendors work out the kinks.
Within 802.1x, you have several EAP methods from which to choose. For all-Cisco or all-Microsoft shops, it makes sense to go with Protected EAP (PEAP), jointly authored by Cisco, Microsoft and RSA Security.
Methods such as Microsoft's EAP-Transport Layer Security require digital certificates on clients and servers, and the complexity of the attendant public-key infrastructure. Others, such as EAP-Tunneled Transport Layer Security, are designed not to require client certificates, so users can trigger the authentication process with the same username/password they use to access the wired LAN.
Stick with a method that supports mutual, or two-way, authentication, to prevent man-in-the-middle attacks.
9.Monitor the network.
A growing number of analysers and monitors let you examine WLAN radio traffic, discover unauthorized access points, block or disconnect clients as needed, and detect intruders. Some products are Ethernet sniffers adapted to handle WLAN packets, others are specifically designed for WLANs. Vendors include AirDefense, AirMagnet, Finisar, Network Associates, WildPackets and YellowJacket.