Wireless security: Hyper techniques
Interest in wireless technologies as a means of extending a company’s network infrastructure has grown exponentially almost overnight. Not only has there been more curiosity from customers, who see the obvious advantages, but suppliers of wireless network hardware have been busy churning out innovative products in a bid to claim niche market space. Unfortunately, over shadowing this popularity are questions about wireless security, which have plagued the industry since the technology started gaining acceptance. These security issues, though widely communicated and understood, did surprisingly little to slow down the adoption of wireless technology by enterprises.
While adopters initially were not too worried about the security flaws inherent in the technology, the vendors were. As a result, products released subsequently have incorporated tighter defenses.
But like any other tool, these improved features have to be used properly. A wireless network implementation needs to be well thought-out and no simply added piecemeal. Many security-conscious enterprises have confidently deployed Wireless Local Area Networks (WLANs) by enforcing policies and implementing practical steps to protect their assets, identify vulnerabilities and defend their networks from wireless-specific attacks.
The use of Wired Equivalent Protocol (WEP) encryption for wireless networks does not guarantee a secure deployment, as the weaknesses inherent within the protocol are well-documented and easy to exploit. One way to address these deficiencies is to UPGRADE THE INFRASTRUCTURE TO SUPPORT WI-FI PROTECTED ACCESS (WPA), a much stronger protocol that augments wireless security and ensures only authorized persons can gain access to the WLAN.
Touted as the replacement security standard over WEP, WPA provides a more sophisticated data encryption method through Temporal Key Integrity Protocol (TKIP), which addresses the original flaw in WEP. It also provides user authentication based on 802.1x and Extensible Authentication Protocol (EAP). However, in order to use WPA, a central authentication server such as a Remote Authentication Dial-In User Service (RADIUS) is required to perform authentication for each user.
In addition, proper implementation of WPA requires that all wireless devices be WPA-compliant. Though wireless Access Points (APs) are usually capable of operating in a ‘mixed’ WEP/ WPA mode, the resultant security of the architecture is only as solid as one based on WEP. Fortunately, WPA was designed to be upgraded through new firmware updates for legacy wireless devices, so existing legacy equipment may already be WPA-compliant after the proper update is downloaded. Purchase products that are compatible with the WPA standard set by the Wi-Fi Alliance to allay fears over the inter-operability of wireless technology hardware.
Some managers’ implementations AUTHENTICATE USERS VIA THE UNIQUE MEDIA ACCESS CONTROL (MAC) ADDRESS FOUND ON EACH WIRELESS NETWORK ADAPTER. However, doing this will only prevent unauthorized access to the access point, not prevent invaders from sniffing the unencrypted data being transferred between the AP and other users.
Another important consideration is the recommended SEGMENTATION OF THE WIRED ANDD WIRELESS NETWORKS, preferably through a firewall. Such a network infrastructure mitigates risk by localizing it to either the wired or the wireless segments, retaining the integrity of one should the other be compromised. Most recommend that confidential and core-related business functions rely on the wired segment, and that the wireless infrastructure be reserved for business units that require more agility and need more mobility.
One of the most common threats to an existing wireless infrastructure – and among the hardest to detect – comes in the form of ‘rogue’ wireless devices on an otherwise secure WLAN. These can be anything from an unauthorized wireless AP or a laptop functioning as a virtual AP to anything else connected to the network but acting as a proxy for other unauthorized devices to gain access. The scenario where one of the more IT-savvy employees within a company decides to connect his own AP to the existing network for the sake of convenience is all too common. Rogue Aps such as these are a possibility regardless of a firm’s security policies, creating a gap in the wall of the enterprise’s wireless defenses.
Laptops and other devices that can act as a launch pad for attacks are even more dangerous because they have legitimate access to the enterprise‘s wireless infrastructure and resources. The default configuration of most off-the-shelf wireless devices offer little in terms of protection and usually have many of the best security features disabled.
It is a good idea for every wireless-equipped laptop or even handheld device to have a SOFTWARE AGENT PRE-INSTALLED IN ORDER TO ALERT THE USER TO NETWORK SECURITY REQUIREMENTS as well as to ensure conformance to wireless security policies.
Relying on default settings will help no one except potential attackers. The most important of these are the Service Set Identifiers (SSID), essentially the names assigned to each AP. CHANGE THESE IDENTIFIERS FOR EACH AND EVERY AP ONCE IT’S BEEN TAKE OUT OF THE BOX. Leaving it to the manufacturer’s default setting will only make things easier for would-be intruders, who are likely to be well-versed in a product’s default settings.
The SSIS assigned should also be something meaningless, giving as little information to an outsider as possible. A bank prefixing its APs with the company name, for example, is asking for trouble.
Disabling the SSID broadcast also helps. Most APs are up to constantly broadcast their SSIS as a beacon for stations to discover and connect to. Turning the broadcast off means that each client needs to know the SSID in order to connect to it. This can prevent accidental connections and may even stop an inexperienced or undetermined attacker from gaining access. But it is in no way foolproof – the SSID can be easily extracted from the probe response that other mobile devices send back to the AP.
LIMITING THE EFFECTIVE RANGE OF THE AP will also mitigate security risks by preventing attackers from accessing the AP from a distance. Configuring APs not to allow slower connection speeds can prevent connections from the parking lot or the floors above or below you.
It is also possible to shield parts of a building to prevent 802.11 RF leakages There is at least one vendor touting an additive that, when mixed with paint, reduces the transmission of radio waves. This is theoretically more cost – effective than lining an entire building with ferrite sheets.
Many of the most pressing security issues can be addressed by proper and thorough policies and enforcement. EMPLOYEES SHOULD BE THOROUGHLY BRIEFED, EDUCATED AND WARNED about the use of rogues APs or other wireless devices, whether unauthorized or permitted by the company.
Besides limiting the range of the wireless network, limiting operating channels, connection speeds and hours of operation can bolster a comprehensive security regime.
By establishing a specific channel for each AP, traffic on all other channels can be identified as being suspicious in nature. By limiting the hours of operation, the network is protected from late – night attacks.
Although well – defined policies are not only beneficial but necessary, they can be rendered useless by a lack of enforcement. Enforcement is optimal with 24/7 monitoring of a WLAN and its associated infrastructure.
Enterprises that are serious about utilizing wireless networking technology in a secure manner should consider the associated responsibilities that come with it and provide the services and support to match.