menu image
AssuranceSecurityGovernanceMembers & LeadersProfessionals & PractitionersStudents & EducatorsExhibitors & Advertisers
menu shadow
Overview & History
What's New
Certification
Education & Conferences
Standards
Research
Publications
Chapters
Membership
Bookstore
Downloads
COBIT
Risk IT
Career Centre
spacer image
Print this page
spacer image

Home

A Guide to Wireless Network Security

By Mitchell Ashley
Volume 3, 2004

Organizations of all sizes are installing and operating wireless networks, known as wireless local area networks (WLANs) or Wi-Fi networks. Low cost, ease of installation, flexibility—these are the benefits that are propelling the widespread adoption of wireless technology.

While the benefits of WLANs are substantial, wireless technology introduces security holes that security administrators must take into account if they are to adequately protect their organizations from hackers, cyberterrorists and unauthorized intruders. Wireless networks are notoriously easy to compromise when improperly installed and operated. Once compromised, a WLAN gives intruders an open conduit to an entire network and places all its proprietary and mission-critical information in jeopardy.

Wireless security is not impossible to achieve, nor does it necessarily have to impose an additional management burden on IT staff. In fact, when a comprehensive, layered-security approach is implemented, a WLAN can be more secure and easier to use and manage than a typical wired network.

Wireless Networking Basics

WLANs provide the same connectivity to business resources as wired networks. Instead of establishing a connection through a network cable, WLANs move data using radio frequency (RF) transmissions. Practically speaking, a wireless connection operates like an additional hub on a network.

In place of a direct cable connection between the network and a client, wireless networks employ wireless access points (WAPs) that are physically connected to the network, and wireless network interface cards (NICs) that are installed in each client device, such as a laptop computer or a PDA. WAPs and wireless NICs send and receive RF transmissions, collectively establishing the wireless link. WLANs generally operate at speeds similar to wired networks, although performance can vary.

Each WAP installed on a network broadcasts a signal that emanates in an omnidirectional pattern. Most commercially available models broadcast from a few dozen feet to over one mile or more. RF frequencies are relatively unimpeded by physical structures such as walls, ceilings or windows, so the WAP signals can be picked up some distance away from the buildings in which they originate. A single WAP can handle traffic from any number of wireless client devices operating within its broadcast area.

Wireless Advantages

The operational characteristics described give rise to a number of advantages that are driving wireless technology's growing popularity. These advantages include:

  • Increased productivity and flexibility—Wireless users can move throughout the coverage area, from offices to conference rooms, from the lunch room to the shop floor, without disconnecting from the network. A study conducted by NOP World, a global market research company, found that wireless users stay connected to the network an average of 1.75 hours longer per day, which translates roughly to a 20 percent increase in productivity.
  • Ease of installation—A WLAN could be operational in a matter of hours, whereas a wired network might take days or weeks to install.
  • Cost—WLANs can be installed more economically than wired LANs. On average, adding users to a wired LAN costs approximately US $130 per connection, so extending coverage to new office space for 50 users would cost about US $6,500. The same space could be covered by a single WAP (US $150) and 50 NICs (US $60 per card) for a total cost of approximately US $3,150.

Wireless Drawbacks

The same characteristics that make WLANs attractive also create a number of serious—and potentially catastrophic—disadvantages, including:

  • No physical control over network connections
  • Weak built-in security measures
  • Security complacency
  • Unmonitored, untrusted connection to network core

To maximize the efficiency and productivity gains promised by the technology, WLANs typically provide access to the same high-level network resources that are accessed through wired connections. The crucial difference is control. Wired LAN clients can be meticulously controlled, as they require a direct physical connection to the network; users need to be physically inside the building and/or pass through standard perimeter security measures (i.e., receptionist, building security) to access the network.

This physical control is absent with a WLAN, and, as a result, crucial network and information assets are at a much higher level of exposure. Where external traffic entering a wired network is policed by a firewall and intrusion prevention system, most WLANs contain no such traffic control measures. A simple example illustrates this point: a hacker attempting to break into a network could sit in his car across the street and tap the signals being broadcast by a WAP located in the building. He need only crack the wireless encryption codes—that is, if encryption measures are activated—to obtain free run of the network.

WAPs contain built-in security measures that afford minimal protection. These common measures include:

  • Wired Equivalent Privacy (WEP) encryption—WEP is the encryption standard for wireless transmissions and requires the WAP and the wireless NICs to be configured with a shared passphrase, which can be a labor-intensive activity when managed for maximum protection. Additionally, WEP can be cracked relatively easily—within a few minutes—using common, open source hacking tools.
  • Service set identifiers (SSIDs)—An SSID is essentially a shared identifier common to all the devices on a WLAN. Without an SSID, a client cannot establish a connection to the WAP. Changing the SSID on a regular basis (a recommended best practice) requires manually configuring each device, which becomes unmanageable with larger systems. As with WEP, hackers can obtain the network SSID with minimal effort.

It is standard practice for wireless equipment manufacturers to sell wireless equipment without any of the security features enabled. Many organizations fail to activate these basic security measures, thereby exposing the information assets on their network to anybody with a wireless NIC.

Because WLAN technology brings significant flexibility advantages and provides a high level of performance, many administrators and decision makers have a high degree of confidence in the technology. The advantages tend to mask the disadvantages. The manufacturers' claims that their devices are "secure" with WEP and SSID features are taken at face value, and WLANs are deployed and operated with little or no security in place.

The Secure Wireless Network Paradigm

Their ease of use and productivity benefits have allowed unsecured wireless networks to slip under the wire of good network security practices. The tendency has been to utilize wireless network technology to extend the network beyond the physical ports of the secure LAN. WLANs are mistakenly considered secure, since they are protected behind the firewall from insecure Internet traffic. The problem is that WLANs provide additional entry points for attack into the network. As discussed previously, physical access through a wireless network is even easier than through a connection to the Internet; intruders can attack a network from outside of the building.

Adequate wireless security requires that departments change how they treat and secure wireless networks. The secure wireless network paradigm demands that WLANs be treated as unsecured networks requiring best security practice measures for access, authentication and encryption. As with all network security best practices, a layered approach provides the best protection.

Layered Security for Wireless Networks

A layered approach to wireless security can provide a high degree of protection and leverage existing network security investments. The layered approach consists of the following four levels:

  1. Wireless deployment and policy
  2. Wireless access control
  3. Perimeter security
  4. Application security

When implemented, as discussed below, the layered approach can make a WLAN more secure than a typical wired network by centralizing points of access, implementing manageable device-level security and governing internal access with firewall-level policies.

Security professionals speak in terms of work factor, which is an important concept when implementing layered security. A network with a high work factor is difficult to break into, while a network with a low work factor can be compromised more easily. If hackers determine that the network has a high work factor, which is inherent in the layered approach, they will soon move on to those that are less secure.

Level 1—Wireless Deployment and Policy

Best practices for wireless deployment and policy are:

  • Deploy the minimum number of WAPs needed for adequate coverage.
  • Set WAP broadcast power to the lowest practical level.
  • Verify broadcast coverage in and around facility.
  • Maintain policies for:
  • Installation of WAPs
  • NIC operational mode
  • WLAN user-group access, including employees, visitors and contractors

The physical deployment of wireless networking devices is the foundation on which a secure environment is created. The basic rule of thumb maintains that one does not overdesign the wireless network. The goal is to avoid broadcasting where it is not necessary. When designing the network, consider who is accessing the WLAN, where they are located and what the minimum coverage requirements are. Using common sense is also helpful. For example, four WAPs should not be installed in a space where one would suffice or in areas that do not need access to the network, such as the building entrance waiting room. More is not necessarily better.

The broadcast power level on most WAPs can be adjusted, and it should be turned down to the minimum required for adequate coverage. (Note: the broadcast power level will not affect the quality of the connection or the speed at which data are transferred.) The facility should be physically checked to see how far the WLAN coverage extends, and then the WAP location and settings can be changed accordingly.

The security policy should be updated regarding the installation and use of wireless network equipment. It is easy for an employee to purchase a WAP, install it without the proper security features enabled and open the entire network to uninvited guests. All installed WAPs should be known and inspected regularly for unauthorized, or rogue, wireless network devices.

Wireless NICs can be set to one of two operational modes—infrastructure mode, which allows the NIC to communicate only with a WAP, and ad hoc mode, which allows the NIC to communicate with any wireless device, such as other NICs. A policy should exist requiring NICs to operate in infrastructure mode only. Devices in ad hoc mode can be readily exploited by hackers.

Consideration must be given to who might be accessing the WLAN, and policies and permissions that govern access must be developed accordingly. Are there different classes of users among employees, such as those that need only general access (e.g., e-mail and Internet) and those that require deeper levels of access (e.g., ERP systems or IT administrative functions)? Are there employees who do not require wireless access at all? Allowing wireless access to all throughout the organization can create an unmanageable security environment. Configuring, tracking and controlling hundreds of devices can place a substantial burden on the IT department, and potentially disastrous vulnerabilities can be created when wireless clients are lost or stolen.

Access policies must be established for other potential WLAN users, such as contractors and visitors. If wireless network access is allowed, what permissions are required before these users gain access through the wireless network?

Level 2—Wireless Access Control

Best practices for wireless access control include:

  • Configure the WEP for the highest level of encryption.
  • Change the SSID regularly, where practical.
  • Do not broadcast the SSID.
  • Verify the media access control (MAC) address upon device connection.
  • Maintain and enforce access policies for unauthorized/unrecognized devices.

In practice, access control has two components: device access control and user authentication (personnel access control). Level two is concerned with device access, while user authentication is addressed in level three, perimeter security.

It is crucial that the security measures, such as WEP and SSID, that are built into wireless network devices are properly configured and managed. The WAP must be configured not to broadcast the SSID, and the SSID should be changed regularly, if practical. Also, the WEP should be set to the highest level of encryption (typically 128- or 256-bit encryption), and the passphrase should be changed regularly, which may or may not be practical depending on the size of the network. Although WEP and SSID are insufficient to secure the network when used by themselves, they can increase the intruders' work factor when used in concert with the other measures in the layered-security approach.

Each wireless NIC has a unique MAC address. This unique address allows one to verify that a client device logging onto the network is authorized for WLAN access. MAC verification helps identify any rogue devices attached or connecting to a WLAN. Security products, such as StillSecure Border Guard Wireless intrusion prevention system, automate the MAC address verification process. Using such systems, one can automatically terminate or restrict any WLAN connections involving unauthorized or unrecognized MAC addresses.

Level 3—Perimeter Security

Best practices for perimeter security include:

  • Install an intrusion prevention system (IPS) and wireless firewall on WLAN.
  • Encrypt WLAN traffic using a virtual private network (VPN).
  • Direct all traffic through the VPN server and configure clients appropriately.
  • Maintain and enforce VPN routing and access policies.
  • Maintain and enforce access policies for user authentication (i.e., username/password).

IPSs monitor network traffic and can automatically terminate suspicious or potentially malicious traffic in real time before any damage occurs. When installed on the WLAN, they provide a much more sophisticated level of protection compared to a traditional firewall. IPSs operate by comparing each data packet to a database of known attack signatures and anomalous traffic patterns. An advanced IPS, such as Border Guard Wireless, can respond to suspicious traffic dynamically with a variety of options, such as terminating the connection, issuing alerts and notifying administrators, or allowing the traffic to pass through.

The WLAN is potentially an untrusted entry point into the network; therefore, a wireless firewall is also required to prevent unauthorized traffic from gaining access. Wireless networks are susceptible to the same arsenal of attacks that are directed against wired networks. Installing an IPS and wireless firewall on a WLAN prohibits these attacks from accessing a network through its wireless gateway.

VPN technology provides a method for securing traffic that moves across untrusted network segments, such as the Internet or the WLAN. A VPN is essentially an extension of a private network that encompasses encapsulated, encrypted and authenticated connections. VPN encryption algorithms are complex and extremely difficult to compromise. VPN connections should be required for all WLAN traffic. Implementing VPN for a wireless network entails deploying a VPN server on the network and configuring all WLAN clients to communicate through a VPN tunnel terminated on this server. Authentication for the VPN is performed against the user information in a RADIUS, LDAP or Windows ACTIVE directory. Additional routing and access policies can then be applied for all VPN traffic terminating on the VPN server, providing additional control over network traffic originating from wireless end points.

Level 4—Application Security

Best practices for application security include:

  • Implement an application-level user authentication system.
  • Maintain and enforce permissions and password policies.
  • Install vendor patches as they become available.

Activating basic security measures at the application level on the network is a recommended best practice, irrespective of the wired/wireless nature of connectivity. Protecting network applications, such as Windows NT, Peoplesoft and other enterprise systems, with rigorous password policies and permissions provides one final hurdle that hackers must overcome to gain access to the proprietary information.

It is imperative to install application patches as they are released. Patches frequently address known security vulnerabilities. Most network breaches exploit such vulnerabilities and are the primary reason signature-based IPSs are an indispensable component of a comprehensive network security program.

Conclusion

The many advantages of wireless networks must be weighed against the considerable risk the technology introduces when implemented without appropriate security measures. Without such measures, WLANs can expose an enterprise's key assets; proprietary information and intellectual property are readily accessible to hackers or anyone else with malicious intent. By adopting a layered approach to wireless network security, which includes proper deployment and policies, access control, perimeter defense and application-level security, the WLAN and assets on the network are protected.

Mitchell Ashley
is vice president of engineering and CIO of StillSecuretm. Ashley is responsible for the product strategy and development of the StillSecure suite of network security software. He has more than 20 years of experience in data networking, network security and software development. Prior to joining StillSecure, he was vice president of engineering and CIO at Jato Communications, where he directed the design and build-out of secure access data networks, information systems and managed customer service operations. Ashley has also held leading positions in the industry as a cofounder of BoldTech Systems, a Denver-based distributed applications consulting firm. With US West Advanced Technologies, he led the creation of interactive video, entertainment and data network applications. Ashley also worked with Electronic Data Systems, where he designed and built scalable, integrated systems in the banking and telecommunications industries.
nav menu image
spacer image
Assurance | Security | Governance
Members & Leaders | Professionals & Practitioners | Students & Educators | Exhibitors & Advertisers
Info Request | Join | Bookstore | My ISACA | About ISACA
Home | Site Map | Shopping Cart | Logout | Contact Us
spacer image
menu shadow

Terms Of Use | Privacy Policy | IP Guidelines
© 2010 ISACA All rights reserved.
3701 Algonquin Road, Suite 1010, Rolling Meadows, Illinois 60008 USA