Securing Wireless Local Area Networks - White Paper
Upcoming SlideShare
Loading in...5
×
 

Securing Wireless Local Area Networks - White Paper

on

  • 862 views

 

Statistics

Views

Total Views
862
Views on SlideShare
862
Embed Views
0

Actions

Likes
0
Downloads
21
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Securing Wireless Local Area Networks - White Paper Securing Wireless Local Area Networks - White Paper Document Transcript

  • Securing Wireless Local Area Networks
  • Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper CONTENTS Introduction 3 Why wireless? 3 Types of wireless networks 4 The “catch” is… 5 How we connected, before 5 How we (and the bad guys) connect now… without wires 6 It’s not safe at home, anymore 7 Ubiquitous… and anonymous 9 WEP: “Weaker than Ever Protection” 10 How to deploy secure WLANs 11 The details of implementing WLAN security 17 Summary 18
  • Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper Introduction If the 1980s was the “decade of the LAN” and the 1990s was the “decade of the Internet”, future historians may look back on the first decade of the 21st Century as the “decade of Wireless Networking”. Although wireless LANs (“WLANs”, for short) are proliferating rapidly, nowadays, this technology is scarcely ever discussed without mention of security concerns. If your organization is planning to deploy a WLAN – or has already done so – you should know the facts surrounding wireless networks so you can use your WLAN in a secure manner. This document will give a brief description of what wireless LANs are, how the security concerns with them compare with those of conventional computer networks and will detail some practical steps your organization can use to deploy fully trustworthy WLANs. It is aimed at readers with some prior knowledge of computer networking concepts, but anyone interested in wireless networking security will benefit by reading this White Paper. Why wireless? The cost-effectiveness and flexibility of the wireless LANs of the 21st Century, as an alternative to traditional wired networks, are ideal for mobile workers.They allow access to real-time information and corporate resources almost anywhere a mobile worker may be located, and with the growing popularity of wireless “hotspots”, mobile workers can now connect to the Internet at airports, hotels, restaurants, and other public places.Within the last few years, access speeds for WLANs have started to approach those available for conventional wireline networks, making use of wireless networking practical for mainstream business and consumer purposes. The benefits of wireless networks don’t end outside the office, because with wireless networking, "the air around us is the cable". Even within modern enterprise offices, workstation mobility, for example using a laptop PC in a meeting room or changing a PC’s location due to organizational changes, is a fact of life. For those who need the flexibility to relocate a workstation, WLANs negate the need for frequent physical wiring changes.This is not just a convenience issue, as cabling changes can amount to a significant burden on already-stressed MIS and IT department resources, on top of the costs of the cables themselves. The result? Increased productivity as well as a more positive end-user experience. 3
  • Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper Types of wireless networks Technically, a “wireless network” is any collection of end-points that can (at least) receive, and (usually in an IT context) send, a signal or information from or to a broadcast access point, without using wires.Viewed in this way, your television set would qualify as a wireless network end-point, but for the purposes of this White Paper, we will confine the context of the discussion to computer-related wireless networks only. There are many types of wireless computer networking technologies, including: • RFID (Radio-Frequency IDentification) systems (there are many sub-varieties of this technology class, mostly used for short-range industrial applications such as warehouse stock movement tracking, typically with very small, fixed datasets such as a SKU number, and so on) • Infrared/IRDA (line-of-sight low power optical networking) • HomeRF (an older wireless PC networking standard that is rapidly disappearing) • Bluetooth (and potential 802.15 IEEE standard to follow from it, low data rate wireless networking mostly for connecting peripherals such as printers, PDAs etc., but rarely used for LAN client purposes) • 1x RTT, 3G and 2.5G cellular technologies (used by telcos for metered, relatively location-insensitive, low-speed access to the Internet, up to about 40-60 kilobits per second or roughly slightly faster than a 56K dial-up modem) • WiFi (IEEE 802.11a, b, g and many other versions; the current standard for relatively high-bandwidth wireless PC networking today, theoretically up to speeds of 54 megabits per second but usually more in the 20 mb./sec. range) Of all of the above technologies, the last two – the various telco cellular network connectivity systems and 802.11x* WiFi – are by far the most important for the purposes of this White Paper, because these systems are both commonly used for remote LAN access today and are likely to continue to be so used in the future. We will concentrate particularly on 802.11x systems, since wireless connectivity via the 1x RTT networks of the major telephone carriers has better inherent resistance to intrusion due to the way in which access is administered (although, it is still theoretically vulnerable to compromise). * Note:We will use the acronym "802.11X" (large "x") generically to describe the gamut of 802.11a, 802.11b, 802.11g, etc. sub-varieties, henceforth in this document.This should not be confused with the "802.1.x" RADIUS- based authentication system, which is also referenced below. 4
  • Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper The “catch” is… Like many things in life, there is both good and bad in the location-independent access capabilities that wireless networking enables. Although issues of data speed (usually somewhat less than for conventional wire-line LANs) and reliability (for example, one’s 2.4 GHz wireless phone rings and disrupts an 802.11 LAN session) can come into play, for WLANs the most important question mark concerns security. To understand the security risks that are inherent in wireless networking, we have to briefly review the history of networking itself as well as the security mechanisms that evolved at each stage of this evolution. How we connected, before Traditionally, access to networked resources has been inextricably linked to a physical connection to a network cable (usually, a blue 10BaseT UTP Ethernet cable) of one sort or another.There has, up to now, simply been no other practical way to connect one’s own PC (or other device) to other computers. In the 1980s, the computers that were connected in this way were mostly deployed in small groups (“workgroup LANs”), and, in the relatively rare cases where large numbers of computers were networked together, it was usually in the context of a single-organization enterprise LAN where all of the endpoints were, ultimately, controlled by the same company or public sector department. Nobody was allowed to connect to the enterprise LAN unless he or she worked for the enterprise. Security issues were mostly limited to problems with disgruntled employees, although near the end of the 1980s, dial-up remote access to enterprise LANs created a need for basic authentication functions.The security mechanism used during this period was mostly basic passwords, sometimes with enhancements such as forced password length or periodic forced password changes. In the 1990s, the advent of the Internet changed this paradigm. For the first time, enterprise networks were interconnected with, and therefore exposed to, computers owned by entities that enterprises might have no knowledge about, much less administrative control over.While the Internet, as the world’s ultimate heterogeneous network, brought about a tremendous increase in convenience, functionality and accessibility to information, this same connectivity also introduced the wide range of security issues – ranging from unauthorized access to viruses to Internet fraud – that most IT directors are now all too familiar with. 5
  • Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper However, even in the late 1990s, enterprise IT security personnel had at least one line of defense to fall back on. Intruders generally had only one convenient avenue of access to internal enterprise LANs – that is, through whatever part of the enterprise network infrastructure (usually, a high bandwidth cable such as a T-1 or leased line) connected to the organization’s ISP (Internet Service Provider) and therefore to the Internet as a whole. One could envision this as an office tower with only one huge door at the front; to get inside, an intruder would have to get past the security system (e.g., a firewall, which was the defining security system of the early Internet era) posted at this door. While malicious attempts at unauthorized access or other inappropriate use of resources (for example attempts to find unsecured OS services on open IP ports, or denial of service attacks) through this entry point can and do occur, at least it is only one entry point to guard; there is little chance of an intruder physically finding his or her way inside (say) the headquarters of a bank and then attaching his or her PC to the enterprise LAN via a 10BaseT network cable connected to a local Ethernet hub or router. (Presumably, were such an event to occur, other office workers would detect the presence of the intruder before any real damage were to be done, perhaps from the trail of empty Pizza boxes and soft drink cans or the “Kaos Komputer Klub Rulez!”T-Shirt… ) How we (and the bad guys) connect now… without wires Wireless networking changes all this. For the first time, an intruder does not have to have any physical access at all, in order to at least attempt to “plug in” to the same enterprise connectivity access points that legitimate users do – it is perfectly possible for an intruder to sit in the lobby of an office building, set his or her wireless client (or hacking) software to search for local wireless access points, find one and attempt to connect. A good way to imagine this is, think of an 802.11 wireless access point as an Ethernet hub with a million ethereal 10BaseT cables connected to it, free for the connecting by anyone within a 50 to 300 meter radius. Improperly secured WLAN access points may have been intentionally, but incorrectly, installed by an enterprise’s IT staff. However, nowadays’ increasingly low prices of consumer-level wireless networking equipment have lead to the attachment of “rogue” (unsanctioned) WLAN access points to enterprise networks, in other words, end user-installed, unsecured WLAN access points that the organization’s MIS and/or security staff may not even know exist. While rogue Ethernet hubs, etc., have historically been a fact of life for large corporations and public sector departments, unlike the case with a conventional LAN connection device, using wireless technology an unsanctioned access point can be accessed by someone completely outside the physical premises of the organization. 6
  • Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper If an intruder is successful in finding and connecting to an inadequately secured wireless access point (wandering a neighbourhood looking for open WLAN access points is called “war driving”, in hacker slang), he or she now has exactly the same ability to access internal enterprise resources, for example servers or the data on them, that a legitimate office worker would have. And since, by definition, an internal LAN is “behind the firewall”, Internet barrier security mechanisms such as firewalls, bastion servers, or proxy servers will be mostly ineffective against such intrusions. Attacks against external targets launched with this type of inappropriate access will appear to come from the organization that owns the conventional, Internet-attached LAN… because, of course, they do come completely from within the organization’s own TCP/IP address range. Taken together, all of these factors amount to a difference of kind, not just degree, in the types of intrusion threats that modern IT security managers must cope with in the WLAN era. It’s not safe at home, anymore Another likely attack against inadequately secured wireless access points is equally troublesome, but is much less well understood. In the early days of wireless networking,WLAN hardware – that is, wireless access hubs, routers and network interface cards – was expensive and com- plex to install and configure. Additionally, standards were poorly defined, so (for example) it was necessary to use the same vendor’s wireless NICs with that vendor’s access points; without doing so, chances of connectivity were poor.Thus, in most cases,WLANs were deployed only by experienced IT staff, within the relatively controlled contexts of enterprise (business) LANs. However, in the last two to three years, affordability and user-friendliness for this technology have migrated down to the consumer level. It is now perfectly possible for even an uneducated computer user to connect his or her wireless access point to a broadband Internet (DSL or cable) modem, insert a wireless LAN adapter (even that of a different vendor) into a laptop and, with little or no extra configuration required, start happily surfing the Internet without any physical cable between the client PC and the access point. For most consumers, the convenience that this auto-configuration provides is what makes the WLAN infrastructure attractive in the first place. Most casual home networking users have little or no understanding of IT security concepts, much less any interest in implementing what are, to them, complex and unnecessary configuration steps that add nothing to their computer use experience 7
  • Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper Unfortunately, hackers and other intruders are only too aware of the many vulnerabilities – for example, default SSID (“Service Set Identifier”, the string that identifies a wireless access point to wireless clients) identifiers (the default SSID for a NetGear 802.11 WLAN router is, “NETGEAR”), or weaknesses in WEP encryption standards – created by the “plug-and- play” philosophy of consumer-level wireless networking equipment. Against an even moderately experienced hacker, most residential wireless networks are very vulnerable to unauthorized intrusion and access.This exposure is made worse by the fact that enterprise IT administrators have little or no control over how residential WLAN equipment is installed and / or configured, assuming that they even know that it has been deployed. If society had maintained the work patterns of the 1980s or even early 1990s, the possibility of compromises against home-based WLANs would still be a problem, because the consequences of unauthorized access – for example, stealing credit card numbers or passwords to personal bank accounts, denial of service or inappropriate use attacks such as “hidden pornography sharing” launched from someone else’s broadband entry point, etc. – could be serious for the victimized individual or family. But in the early 21st Century, work patterns have changed and “working from home” is a familiar concept, even for senior private and public sector managers who must have constant access to sensitive internal information. Thus, looking at the situation from the perspective of a potential intruder, the easiest way to compromise an enterprise LAN may not involve attacking its center point (e.g., the organization’s business offices) at all. Rather, an intelligent intruder might use a social engineering attack (or, perhaps, simply use a phone book) to find out where a senior manager lives, park an automobile discreetly somewhere near by, set up his computer to search for an inadequately secured wireless access point installed at the manager’s house and then attack this access point. The risks of this type of compromise are severe for several reasons.The most obvious of these is simple unauthorized access to corporate passwords and potentially confidential business information, but there are more subtle risks as well. For example, a compromised residential wireless access point is an ideal and (for the intruder) anonymous entry point for introduction of an Internet virus, “spam” e-mail or denial of service attack, with the hapless legitimate owner of the endpoint being blamed if such attacks are ever traced. Furthermore, even if sensitive corporate information within central IT resources (for example a head office file server) is protected by a secondary data security mechanism such as file encryption, most home-based PCs – which could be directly attacked via a compromised WLAN – do not have this kind of protection, even if they are used for convenience purposes to store confidential information. 8
  • Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper For example, the peer-to-peer networking features of Microsoft’s Windows XP Home OS, by default, do not provide even password-based protection for shared directories; an intruder on a compromised WLAN would have wide open access to a shared “My Documents” folder, in this scenario. (Such a location would be a perfect place for an attacker to locate a virus, a distributed denial-of-service “zombie” program, a password harvester or other OS-level compromise.) And home-based computers may be used by children or other individuals with little or no security awareness, leading to a raft of potential compromises such as “spyware”, keyloggers, viruses or other client-based vulnerabilities. Clearly, the problem of inadequately secured residential WLANs is one that enterprise IT security staff need to take seriously and address immediately. Ubiquitous… and anonymous A secondary issue associated with WLANs, especially 802.11x-based WiFi networks, is that this type of infrastructure can provide the ultimate in anonymous Internet access, especially when provisioned via wireless access points that are available for free use by the public. (This type of deployment is becoming an increasingly common value differentiator for some types of businesses, for example coffee shops, restaurants, airlines and so on.) Unlike the past – where, at some point, it was necessary for some identifiable entity to pay for an Internet Service Provider account and, usually, a phone or cable connection, to get access to the Internet – public access WLAN facilities for the first time allow a user with nothing more than a laptop computer and a wireless LAN card to access the Internet. In other words, however tenuous this concept may have been during the days of conventional, wireline Internet access (as, it has always been possible to fake an identity), public WLAN access now makes the concept of identifying a network attacker nearly impossible, especially in real time. While anonymity has many legitimate functions, viewed in the WLAN context, enterprise IT administrators now have to contend with unidentifi- able attackers who can (for example) use a public WLAN access point for however brief an interval it takes to launch a denial-of-service attack, “spam” e-mail flood, intrusion attempt or other inappropriate use session, afterwards immediately disconnect and never thereafter have any other association with the TCP/IP address or access point from which these malicious activities took place. In some ways, this may be more of an exposure for the provider of the public WLAN access infrastructure than it would be for the directly aggrieved party, since if such an attack is traceable at all, the path would lead back to the public WLAN access point from which the attack was launched. But either way, it is a new issue that must be considered in protecting enterprise LANs from external attacks. 9
  • Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper WEP: “Weaker than Ever Protection” When WiFi (802.11x) wireless LANs were first invented, the creators of the 802.11x protocols were not totally ignorant of the unauthorized use risk posed by unsecured wireless access points.To provide a measure of security against these risks, they invented “Wired Equivalent Privacy” (commonly referred to as, “WEP”), a low-level data encryption system designed especially for wireless security purposes. Basically,WEP provides wireless data traffic confidentiality via encryption of MAC (Media Access Control, in OSI reference model tech-speak)-level data streams.Theoretically, a properly implemented WEP-enabled access point can deny access to any wireless client that does not have a shared authentication key, and once a client has thus been correctly authenticated, it can encrypt the client/access point data stream in near real-time so that attempts to remotely “sniff ” the contents of TCP/IP packets are futile. Unfortunately,WEP has many known vulnerabilities. Among these are: • Problems with key generation (at the time WEP was created, the U.S. government had made the export of encryption keys longer than 40 bits illegal on the grounds that they were “weapons of mass destruction”, although later implementations of WEP have longer keys) and distribution; • Weak IVs (“Initialization Vectors”), which make key cracking inappropriately easy (even for the 128-bit and larger WEP key implementations); • A too-predictable CRC-32 packet integrity check algorithm; • A wide range of freely available “hacker” tools to break WEP encryption itself; • Many of the wireless access points (for example consumer market wireless / broadband Internet routers) which do implement WEP, do not provide the management tools needed to enable good security practices such as frequent key changes. Taken as a whole, these issues amount to the fact that whatever the initial claims made of it,WEP encryption alone cannot be relied upon to provide security for wireless 802.11x networks. A successor to WEP, called “WPA” (“Wi-Fi Protected Access”), which will resolve many of the known vulnerabilities in WEP, is currently in the final stages of definition by the IETF and will probably become available within the late 2003 to mid-2004 time scale.While, obviously, transitioning to the new WPA standard will be desirable in the long run, for the time being WEP will remain the best available confidentiality tool for WLAN data streams, so IT security managers will have to plan their strategy to take its vulnerabilities into account. 10
  • Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper How to deploy secure WLANs The following section gives some practical steps on how to secure your WLAN. Do a threat/risk analysis (TRA): Review your organization’s real business and technical security requirements, so you know what resources are most likely to be attacked, as well as what the consequences would be if each data element or resource were compromised. Without undertaking this crucial step, it is impossible to properly secure your enterprise LAN, since you may be over-securing low-sensitivity resources while under-securing resources that are critical to your business. As an example of this, if your enterprise LAN contains a mixture of low-bandwidth 1x RTT (cellular) and 802.11x-connected PCs, your available IT security manpower cycles may be better spent on the latter rather than the former (cellular networks have a degree of authentication security built in at the billing account level, and in any case, their metered costs and relatively low bandwidth gives mobile users an incentive to restrict use of the resource, thereby mitigating the risk of data compromise). Architect a secure wireless solution: Design an appropriate, secure wireless scheme that meets your users’ needs. A system which leaves important functions – for example, the ability to access home-based wireless networks – completely unaddressed, will likely be bypassed by end users… resulting in no security at all. Also, the word “architect”, as used in this context, is a verb; your IT staff should spend the time to draft a valid WLAN architecture for your enterprise, not leave this function to ad hoc infrastructure growth engineered by end users. (If end users have no official WLAN architecture to adhere to, they will adhere to whatever is most convenient for them at the time.) Roaming: Propose an effective roaming solution that extends the network beyond the office. The point here is to realize that wireless LAN access – particularly, wireless 802.11x-related infrastructure deployed in residential or airport “hotspot” contexts – is here to stay; attempts to prohibit it, or to ignore it and hope the problem goes away (it won’t), are likely to be futile. If your IT staff is able to get out in front of the curve and propose a wireless roaming system that will enhance end user convenience, the chances are much greater that you will get the co-operation of end users when the time comes to implement strong security. 11
  • Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper Use WEP… but don’t expect miracles of it: Wired Equivalent Privacy (or WEP) authentication and encryption is not perfect, but using it is far preferable to having no wireless encryption protection at all. So enable it for all the access points that support it. Think of the analogy with the lock you use to secure the front door of your house, or the lock on your car door. Both of these can certainly be defeated, and this happens every day across the country; but the mere presence of a lock is known to deter thieves, who for the most part would prefer to attack targets that are less well defended.WEP can work in exactly the same way for wireless LANs, encouraging attackers to go after someone else’s network. Furthermore, it should be noted that although it is indeed possible to break or circumvent WEP-based wireless security, doing so is – particularly for its 128-bit and longer versions – a much less straightforward task than some alarmist media stories would have one believe. There are many reasons why this is the case, but as an example, most WEP-hacking programs currently (July 2003) available run only over various versions of the Linux, OpenBSD or other non-Windows operating systems; thus, to use most of these, an intruder must acquire and install a completely new operating system on his or her computer. (And, possibly, recompile the hacking program from C++ source code, itself a non-trivial task.) Then, the intruder must have at least some understanding both of low-level TCP/IP data concepts and of encryption concepts, must have both the time (possibly as much as a day per attempt) and the circumstances (e.g. a car or van to park discreetly while attempting to break a WLAN- secured access point) and, finally, the disposition (in particular, a good deal of patience) to carry the intrusion attempts through to fruition. Impossible? No, but definitely a task that would deter many casual intruders who are just “nosy”. But by not using WEP, you are making the task of intrusion immensely easier, just as you would be by not placing a lock of any kind on your home’s front door. So,WEP has a place to play in securing WLAN systems; just do not make the mistake of making it your only 802.11x security technology. As a side-note, wherever possible, your organization should invest in WLAN access devices (e.g. access points, routers and network cards) that either implement, or can conveniently be upgraded to implement, the emerging WPA wireless security standard.While WPA is currently (July 2003) still a “work in progress”, it will eventually succeed WEP and solve many of WEP’s known vulnerabilities. Planning ahead to implement WPA will eventually make the task of securing 802.11x-based WLANs considerably easier. 12
  • Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper Authentication is the key:The most significant vulnerability of wireless LANs is the fact that, at the physical level, by definition they enable access to anyone, authorized or not, within a WLAN access point’s radius of useful signal strength. (As noted above, this is in contrast to the situation with a conventional LAN, where a user must have physical access to building facilities to plug in to a 10BaseT UTP Ethernet cable.) Thus, systems that ensure that only authorized users are allowed to get a physical level connection at all to WLAN access points, are a critical function of wireless LAN security policy (although, they are not, by themselves, everything you need to secure a WLAN). Providing robust authentication security for use of wireless access points will instantly stop 80% of intrusion attacks. End-run WEP problems with RADIUS: An excellent, industrial-strength solution to the WLAN authentication issues is an authentication infrastructure that implements a RADIUS client/server architecture. RADIUS, an IETF standard security management protocol first used for dial-up access to Internet Service Provider modem pools, enables control over which users can connect to your network, and over what resources they can access.Wireless-optimized extensions to RADIUS can enable wireless users to be strongly authenticated at access points using X.509 digital certificates. There are currently two “flavors” of such RADIUS extensions that you should consider: • EAP-TLS (Extensible Authentication Protocol -Transport Layer Security):This is the security method used in the 802.1X client for Windows XP; it uses client- and server-side certificates to perform authentication; dynamically generated user- and session- based keys are distributed to secure the connection. • PEAP (Protected Extensible Authentication Protocol): Protected EAP is an extension of EAP-TLS which provides certificate-based mutual authentication of the client and network. Unlike EAP-TLS, PEAP requires only server-side certificates, eliminating the need to configure certificates for each WLAN client. The certificate-based client / server approach has many advantages. For example, administrators can enforce policies on user sessions, to specify the length of an encryption key and the time interval for its auto-renegotiation, and so on. Collectively, these features can negate most of WEP’s known vulnerabilities and exponentially increase the complexity and difficulty of intrusion attempts. Note that some configurations may require a specialized, RADIUS- compatible client on each PC that will access the secure wireless LAN infrastructure; so, in planning a network of this type, you should make some allowance for remote roll-out, installation and provisioning issues. 13
  • Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper Install, configure and test: Build and configure WLAN authentication servers using best security practices. Install, configure and test hardware and software. In particular, don’t assume that security equipment and software actually does what it claims to do – oversights such as a certain type of wireless router returning the administrator password in cleartext, when a certain SNMP call is made to it, or storing sensitive WLAN configuration and authentication data in a client PC’s Windows Registry in completely unencrypted format, are uncommon but are definitely there, and the hackers all know about them. Either have your own IT department, or (better yet), hire a third party to attempt to break or bypass whatever WLAN security features you have implemented.You may be surprised what you find out about the equipment that you thought was “bullet-proof ”. The problem (partly) starts at home: As noted above, from the perspective of an attacker, unsecured, home-based WLAN access points may be considerably more attractive targets than would be the likely better- protected assets at an enterprise’s business offices. There may be little that your organization can (or should) do to prevent or restrict the ways in which employees use their own computers at home. But there are ways in which you can mitigate this risk, from both wireless and conventional remote access perspectives. • Require, or at least make available, more sophisticated, multi-factor methods of user authentication than just usernames and passwords (which are too easily compromised by basic hacking techniques such as keyloggers, IP packet sniffing, etc.) for access either to employee home computers or corporate resources. Among the advanced authentication methods available today are X.509 digital certificates, USB keys, smart cards and biometrics. Use of any one or combination of these systems will make the task of an intruder significantly more difficult, because simple interception of a password via a compromised residential WLAN will no longer be sufficient to enable subsequent compromise of the enterprise LAN as a whole. • If possible, implement a VPN (Virtual Private Network) system to secure the datastream between remote/home-based client PCs and central enterprise data resources. Properly-configured VPNs, particularly if combined with more sophisticated methods of multi-factor user authentication, can provide good protection for corporate resources, even if a residential WLAN access point is itself compromised to give an intruder access.There are two main types of VPNs: IPSec systems, which require installation and of client software, and the newer SSL VPNs, which are entirely browser-based, making provisioning and roll-out significantly easier (as well as more secure). 14
  • Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper • Provide, or encourage the use of, tools for good security practices on home computers. Among these are software firewalls, anti-virus software and anti- spyware software. Using such tools will make your entire enterprise network more secure, in addition to complicating the task of a wireless intruder who wants to hijack a vulnerable home computer as an entry point for activities such as a denial-of-service or virus injection attack. • Provide at least some security-related education for all employees, but particularly those who may be using, or considering using, wireless networking at home. An example of the types of advice you could give in such training would be, “every so often, have a quick look at your wireless router and cable (or ADSL) modem; if your PC is turned off, but there is a lot of constant data traffic on the router and the modem, this might indicate an unauthorized connection – contact your Security department”.The more educated your home users are, the better able they will be to recognize intrusions at an early stage. Attackers may want your bandwidth, not your data: Not all attacks against enterprise WLANs may involve the usual security threats such as data interception or password compromises. For example, attackers may want access to your organization’s infrastructure for more mundane but still inappropriate purposes, for example trading illegally copied media items (songs and movies) or software, creating a launching point for mass “spam” mail blasts, storing pornography or simply free Web surfing. While these types of attacks did exist prior to the inception of WLANs, they are a far more attractive proposition nowadays because an wireless intruder may not have to bypass a firewall.You should consider, and protect against, this risk in designing your organization’s WLAN strategy. Manage and support: Review your WLAN support options to meet the needs of your internal customers. Adjust these options to take into account changing needs, especially at the residential and home networking levels. The easier that it is for users to access your support resources to get answers to security-related concerns, the more likely it will be that your users will adhere to whatever wireless security policy your organization has decided upon. 15
  • Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper The details of implementing WLAN security To protect your wireless LAN network from attack, the following best practices are recommended: 1. Educate employees about WLAN risks, especially about how to recognize an intrusion or suspicious behavior. Security-aware end users are perhaps your best line of defence against intrusion. 2. Prohibit or restrict unauthorized attachment of wireless access points (rogue access points). 3. Employ a third party managed security services company to constantly monitor your network security infrastructure for signs of an attack or unauthorized use. 4. Deploy strong authentication (X.509 digital certificate, USB token, smart card and/or biometric) for all of your IT resources, wireless and wireline alike. Doing so will tremendously complicate the task of wireless “snoopers”, because interception and possession of a compromised password will no longer allow them to access protected resources and data sets. 5. Prohibit or restrict use of 802.11x WLAN cards in ad hoc mode, especially when in public areas or any building with perimeter less than the WLAN broadcast range. 6. Ask users to connect only to known access points; masquerading access points are more likely in unregulated public spaces. 7. Deploy personal firewalls, anti-virus software and spyware blockers on all corporate PCs, particularly laptops and computers using the Windows operating system. Use corporate network security policy to enforce the continuous use of these assets and train employees to recognize when a problem is detected. 8. Actively and regularly scan for rogue access points and vulnerabilities on the corporate network, using available WLAN management tools. 9. Change default management passwords and, where possible, administrator account names, on WLAN access points. Also, make sure to disable or secure other potential “leak-points” of confidential configuration data – for example Telnet access or auto-responses to SNMP queries, etc. – that might be of value to a hacker trying to glean information about your network from a wireless access point. 10. Change the default SSID on all access points, and allow the access points to broadcast their SSIDs.This enables users to easily identify the access point to which they are connecting and only present the necessary credentials. It may be a good idea to make the SSID of an access point something that misleads attackers about the value of the data behind it; for example, an access point in a bank could be named “COFFEESHOP” instead of “BANKSECRETS”. 11. Turn on and use encryption (128-bit TKIP or higher WEP if your equipment supports it).TKIP provides protection against the drive-by snooper or unintentional visitor, but it should always be used with other measures in a corporate environment. 16
  • Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper 12. Use strong security for other data resources such as laptop or desktop data files and e-mail messages and attachments. (For example, desktop encryption solutions can range all the way from simple Windows-based EFS encryption to more advanced, flexible and platform-independent third party solutions, while X.509 digital certificates offer a very cost-effective way of securing e-mail.) The reason, again, is to create a layered security system, so that an intruder who somehow manages to defeat your organization’s WLAN security still has additional barriers to cross to do real damage. 13.When deploying 802.1X infrastructure to implement dynamic encryption keys (for example with a RADIUS-based authentication system), configure the session key update for at least once per hour to minimize the chance of key repetition. 14. Make sure that your RADIUS server has a valid server certificate for network authentication to all valid users and devices. 15. Avoid placing access points against exterior walls or windows. 16. Reduce the broadcast strength of WLAN access points, when possible, to keep it within the necessary area of coverage only. Avoid coverage of unintended areas such as parking lots. 17.When planning network design, use 802.1X-based port authentication for wired switches and hubs to inhibit future addition of unauthorized, user-attached access points. 18. Ask employees with home WLAN access points to change the authentication and confidentiality keys of their broadband routers, etc., at least once per month (once per week if your organization is very security-sensitive). It may be cost-effective for your organization to purchase one example of the consumer WLAN to broadband routers from the locally dominant vendors (e.g. Linksys, SMC, Netgear, etc.) and have your IT staff create simple, easily-understood corporate standard instructions as to how to do this, as well as to offer residential WLAN phone support for inexperienced users. All of these steps will help to reduce the “home access point” wireless LAN vulnerability. 17
  • Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper Summary Wireless LANs are neither the inherently insecure demon that their detractors depict, nor are they inherently secure enough to be implemented in exactly the same way as conventional wireline LANs would be. But because this technology is quickly gaining momentum from a consumer acceptance perspective, it is imperative that your organization roll out its WLAN(s) in a secure fashion. Doing this may require only a few steps and types of security practice and technology, or may require more, depending upon the nature of the information being protected and the degree of security desired. And, it’s important to note, some of the best practice steps you should use to secure a wireless LAN are basically the same as would be the case for a conventional network.Viewed in this context, the implementation of a WLAN can be an ideal catalyst to improve the overall security of the rest of your enterprise LAN or WAN. The results will benefit users of both wireless and wireline infrastructures… and your organization’s productivity will improve as well. But start the process now, before your WLAN starts to broadcast things you don’t want the public to hear! ©2003 VeriSign, Inc. All rights reserved. VeriSign, the VeriSign logo, NetSure, and other trademarks, service marks, and logos are registered or unregistered trademarks of VeriSign and its subsidiaries in the United States and other countries. All other trademarks belong to their respective owners. DS 037 0903 Copyright © Soltrus, Inc., 2003. Limited permission is hereby granted to reproduce and distribute this document, provided that this notice of copyright is included and that distribution is not for a commercial purpose. 18