Securing Wireless Networks from ARP Cache Poisoning - CiteSeer
Securing Wireless Local Area Networks
-
Upload
sireesha-basamsetty -
Category
Documents
-
view
227 -
download
1
Transcript of Securing Wireless Local Area Networks
-
8/2/2019 Securing Wireless Local Area Networks
1/18
Securing Wireless Local Area Networks
-
8/2/2019 Securing Wireless Local Area Networks
2/18
Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper
CONTENTS
Introduction 3
Why wireless? 3
Types of wireless networks 4
The catch is 5
How we connected, before 5
How we (and the bad guys) connect now without wires 6
Its not safe at home, anymore 7
Ubiquitous and anonymous 9
WEP: Weaker than Ever Protection 10
How to deploy secure WLANs 11
The details of implementing WLAN security 17
Summary 18
-
8/2/2019 Securing Wireless Local Area Networks
3/18
Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper
3
Introduction
If the 1980s was the decade of the LAN and the 1990s was the decade of
the Internet, future historians may look back on the first decade of the
21st Century as the decade of Wireless Networking.
Although wireless LANs (WLANs, for short) are proliferating rapidly,
nowadays, this technology is scarcely ever discussed without mention of
security concerns. If your organization is planning to deploy a WLAN
or has already done so you should know the facts surrounding wireless
networks so you can use your WLAN in a secure manner.
This document will give a brief description of what wireless LANs are,
how the security concerns with them compare with those of conventional
computer networks and will detail some practical steps your organization
can use to deploy fully trustworthy WLANs. It is aimed at readers with
some prior knowledge of computer networking concepts, but anyoneinterested in wireless networking security will benefit by reading this
White Paper.
Why wireless?
The cost-effectiveness and flexibility of the wireless LANs of the 21st
Century, as an alternative to traditional wired networks, are ideal for mobile
workers.They allow access to real-time information and corporate resources
almost anywhere a mobile worker may be located, and with the growing
popularity of wireless hotspots, mobile workers can now connect to the
Internet at airports, hotels, restaurants, and other public places.Within the
last few years, access speeds for WLANs have started to approach thoseavailable for conventional wireline networks, making use of wireless
networking practical for mainstream business and consumer purposes.
The benefits of wireless networks dont end outside the office, because with
wireless networking, "the air around us is the cable". Even within modern
enterprise offices, workstation mobility, for example using a laptop PC in
a meeting room or changing a PCs location due to organizational changes,
is a fact of life. For those who need the flexibility to relocate a workstation,
WLANs negate the need for frequent physical wiring changes.This is not
just a convenience issue, as cabling changes can amount to a significant
burden on already-stressed MIS and IT department resources, on top of
the costs of the cables themselves.The result? Increased productivity as well as a more positive end-user
experience.
-
8/2/2019 Securing Wireless Local Area Networks
4/18
Types of wireless networks
Technically, a wireless network is any collection of end-points that can (at
least) receive, and (usually in an IT context) send, a signal or information
from or to a broadcast access point, without using wires.Viewed in this way,
your television set would qualify as a wireless network end-point, but for
the purposes of this White Paper, we will confine the context of the
discussion to computer-related wireless networks only.
There are many types of wireless computer networking technologies,
including:
RFID (Radio-Frequency IDentification) systems (there are many sub-varieties
of this technology class, mostly used for short-range industrial applications such
as warehouse stock movement tracking, typically with very small, fixed datasets
such as a SKU number, and so on)
Infrared/IRDA (line-of-sight low power optical networking) HomeRF (an older wireless PC networking standard that is rapidly
disappearing)
Bluetooth (and potential 802.15 IEEE standard to follow from it, low data rate
wireless networking mostly for connecting peripherals such as printers, PDAs
etc., but rarely used for LAN client purposes)
1x RTT, 3G and 2.5G cellular technologies (used by telcos for metered,
relatively location-insensitive, low-speed access to the Internet, up to about
40-60 kilobits per second or roughly slightly faster than a 56K dial-up modem)
WiFi (IEEE 802.11a, b, g and many other versions; the current standard for
relatively high-bandwidth wireless PC networking today, theoretically up to
speeds of 54 megabits per second but usually more in the 20 mb./sec. range)
Of all of the above technologies, the last two the various telco cellular
network connectivity systems and 802.11x* WiFi are by far the most
important for the purposes of this White Paper, because these systems
are both commonly used for remote LAN access today and are likely to
continue to be so used in the future.
We will concentrate particularly on 802.11x systems, since wireless
connectivity via the 1x RTT networks of the major telephone carr iers has
better inherent resistance to intrusion due to the way in which access is
administered (although, it is still theoretically vulnerable to compromise).
* Note:We will use the acronym "802.11X" (large "x") generically to describe the gamut of 802.11a, 802.11b,
802.11g, etc. sub-varieties, henceforth in this document.This should not be confused with the "802.1.x" RADIUS-based authentication system, which is also referenced below.
Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper
4
-
8/2/2019 Securing Wireless Local Area Networks
5/18
Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper
5
The catch is
Like many things in life, there is both good and bad in the location-independent
access capabilities that wireless networking enables.
Although issues of data speed (usually somewhat less than for conventional
wire-line LANs) and reliability (for example, ones 2.4 GHz wireless phone rings
and disrupts an 802.11 LAN session) can come into play, for WLANs the most
important question mark concerns security.
To understand the security r isks that are inherent in wireless networking,we have
to briefly review the history of networking itself as well as the security mechanisms
that evolved at each stage of this evolution.
How we connected, before
Traditionally, access to networked resources has been inextricably linked to aphysical connection to a network cable (usually, a blue 10BaseT UTP Ethernet
cable) of one sort or another.There has, up to now, simply been no other practical
way to connect ones own PC (or other device) to other computers.
In the 1980s, the computers that were connected in this way were mostly deployed
in small groups (workgroup LANs), and, in the relatively rare cases where large
numbers of computers were networked together, it was usually in the context of a
single-organization enterprise LAN where all of the endpoints were, ultimately,
controlled by the same company or public sector department. Nobody was allowed
to connect to the enterprise LAN unless he or she worked for the enterprise.
Security issues were mostly limited to problems with disgruntled employees,
although near the end of the 1980s, dial-up remote access to enterprise LANscreated a need for basic authentication functions.The security mechanism used
during this period was mostly basic passwords, sometimes with enhancements such
as forced password length or per iodic forced password changes.
In the 1990s, the advent of the Internet changed this paradigm. For the first
time, enterprise networks were interconnected with, and therefore exposed to,
computers owned by entities that enterprises might have no knowledge about,
much less administrative control over.While the Internet, as the worlds ultimate
heterogeneous network, brought about a tremendous increase in convenience,
functionality and accessibility to information, this same connectivity also introduced
the wide range of security issues ranging from unauthorized access to viruses to
Internet fraud that most IT directors are now all too familiar with.
-
8/2/2019 Securing Wireless Local Area Networks
6/18
Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper
6
However, even in the late 1990s, enterprise IT security personnel had at least one
line of defense to fall back on. Intruders generally had only one convenient avenue
of access to internal enterprise LANs that is, through whatever part of the
enterprise network infrastructure (usually, a high bandwidth cable such as a T-1 orleased line) connected to the organizations ISP (Internet Service Provider) and
therefore to the Internet as a whole. One could envision this as an office tower
with only one huge door at the front; to get inside, an intruder would have to get
past the security system (e.g., a firewall, which was the defining security system of
the early Internet era) posted at this door.
While malicious attempts at unauthorized access or other inappropriate use of
resources (for example attempts to find unsecured OS services on open IP ports,
or denial of service attacks) through this entry point can and do occur, at least
it is only one entry point to guard; there is little chance of an intruder physically
finding his or her way inside (say) the headquarters of a bank and then attaching his
or her PC to the enterprise LAN via a 10BaseT network cable connected to a
local Ethernet hub or router. (Presumably, were such an event to occur, other office
workers would detect the presence of the intruder before any real damage were to
be done, perhaps from the trail of empty Pizza boxes and soft drink cans or the
Kaos Komputer Klub Rulez!T-Shirt )
How we (and the bad guys) connect now without wires
Wireless networking changes all this. For the first time, an intruder does not have
to have any physical access at all, in order to at least attempt to plug in to the
same enterprise connectivity access points that legitimate users do it is perfectly
possible for an intruder to sit in the lobby of an office building, set his or her
wireless client (or hacking) software to search for local wireless access points, find
one and attempt to connect.
A good way to imagine this is, think of an 802.11 wireless access point as an
Ethernet hub with a million ethereal 10BaseT cables connected to it, free for the
connecting by anyone within a 50 to 300 meter radius.
Improperly secured WLAN access points may have been intentionally, but
incorrectly, installed by an enterprises IT staff. However, nowadays increasingly
low prices of consumer-level wireless networking equipment have lead to the
attachment of rogue (unsanctioned) WLAN access points to enterprise networks,
in other words, end user-installed, unsecured WLAN access points that the
organizations MIS and/or security staff may not even know exist.
While rogue Ethernet hubs, etc., have historically been a fact of life for large
corporations and public sector departments, unlike the case with a conventional
LAN connection device, using wireless technology an unsanctioned access point
can be accessed by someone completely outside the physical premises of the
organization.
-
8/2/2019 Securing Wireless Local Area Networks
7/18
Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper
7
If an intruder is successful in finding and connecting to an inadequately
secured wireless access point (wandering a neighbourhood looking for open
WLAN access points is called war driving, in hacker slang), he or she
now has exactly the same ability to access internal enterprise resources, forexample servers or the data on them, that a legitimate office worker would
have.And since, by definition, an internal LAN is behind the firewall,
Internet barrier security mechanisms such as firewalls, bastion servers, or
proxy servers will be mostly ineffective against such intrusions. Attacks
against external targets launched with this type of inappropriate access
will appear to come from the organization that owns the conventional,
Internet-attached LAN because, of course, they do come completely
from within the organizations own TCP/IP address range.
Taken together, all of these factors amount to a difference of kind, not just
degree, in the types of intrusion threats that modern IT security managers
must cope with in the WLAN era.
Its not safe at home, anymore
Another likely attack against inadequately secured wireless access points is
equally troublesome, but is much less well understood.
In the early days of wireless networking,WLAN hardware that is, wireless
access hubs, routers and network interface cards was expensive and com-
plex to install and configure.Additionally, standards were poorly defined, so
(for example) it was necessary to use the same vendors wireless NICs with
that vendors access points; without doing so, chances of connectivity were
poor.Thus, in most cases,WLANs were deployed only by experienced ITstaff, within the relatively controlled contexts of enterprise (business) LANs.
However, in the last two to three years, affordability and user-friendliness
for this technology have migrated down to the consumer level. It is now
perfectly possible for even an uneducated computer user to connect his or
her wireless access point to a broadband Internet (DSL or cable) modem,
insert a wireless LAN adapter (even that of a different vendor) into a laptop
and, with little or no extra configuration required, start happily surfing the
Internet without any physical cable between the client PC and the access
point.
For most consumers, the convenience that this auto-configuration provides
is what makes the WLAN infrastructure attractive in the first place. Mostcasual home networking users have little or no understanding of IT security
concepts, much less any interest in implementing what are, to them,
complex and unnecessary configuration steps that add nothing to their
computer use experience
-
8/2/2019 Securing Wireless Local Area Networks
8/18
Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper
8
Unfortunately, hackers and other intruders are only too aware of the many
vulnerabilities for example, default SSID (Service Set Identifier, the
string that identifies a wireless access point to wireless clients) identifiers
(the default SSID for a NetGear 802.11 WLAN router is,NETGEAR),or weaknesses in WEP encryption standards created by the plug-and-
play philosophy of consumer-level wireless networking equipment.Against
an even moderately experienced hacker, most residential wireless networks
are very vulnerable to unauthorized intrusion and access.This exposure is
made worse by the fact that enterprise IT administrators have little or
no control over how residential WLAN equipment is installed and / or
configured, assuming that they even know that it has been deployed.
If society had maintained the work patterns of the 1980s or even early
1990s, the possibility of compromises against home-based WLANs would
still be a problem, because the consequences of unauthorized access for
example, stealing credit card numbers or passwords to personal bankaccounts, denial of service or inappropriate use attacks such as hidden
pornography sharing launched from someone elses broadband entry point,
etc. could be serious for the victimized individual or family.
But in the early 21st Century, work patterns have changed and working
from home is a familiar concept, even for senior private and public sector
managers who must have constant access to sensitive internal information.
Thus, looking at the situation from the perspective of a potential intruder,
the easiest way to compromise an enterprise LAN may not involve
attacking its center point (e.g., the organizations business offices) at all.
Rather, an intelligent intruder might use a social engineering attack (or,
perhaps, simply use a phone book) to find out where a senior managerlives, park an automobile discreetly somewhere near by, set up his computer
to search for an inadequately secured wireless access point installed at the
managers house and then attack this access point.
The risks of this type of compromise are severe for several reasons.The
most obvious of these is simple unauthorized access to corporate passwords
and potentially confidential business information, but there are more subtle
risks as well. For example, a compromised residential wireless access point is
an ideal and (for the intruder) anonymous entry point for introduction of
an Internet virus, spam e-mail or denial of service attack, with the hapless
legitimate owner of the endpoint being blamed if such attacks are ever
traced.
Furthermore, even if sensitive corporate information within central IT
resources (for example a head office file server) is protected by a secondary
data security mechanism such as file encryption, most home-based PCs
which could be directly attacked via a compromised WLAN do not have
this kind of protection, even if they are used for convenience purposes to
store confidential information.
-
8/2/2019 Securing Wireless Local Area Networks
9/18
Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper
9
For example, the peer-to-peer networking features of Microsofts Windows
XP Home OS, by default, do not provide even password-based protection
for shared directories; an intruder on a compromised WLAN would have
wide open access to a shared My Documents folder, in this scenario.(Such a location would be a perfect place for an attacker to locate a virus,
a distributed denial-of-service zombie program, a password harvester or
other OS-level compromise.)
And home-based computers may be used by children or other individuals
with little or no security awareness, leading to a raft of potential compromises
such as spyware, keyloggers, viruses or other client-based vulnerabilities.
Clearly, the problem of inadequately secured residential WLANs is one that
enterprise IT security staff need to take seriously and address immediately.
Ubiquitous and anonymousA secondary issue associated with WLANs, especially 802.11x-based WiFi
networks, is that this type of infrastructure can provide the ultimate in
anonymous Internet access, especially when provisioned via wireless access
points that are available for free use by the public. (This type of deployment
is becoming an increasingly common value differentiator for some types of
businesses, for example coffee shops, restaurants, airlines and so on.)
Unlike the past where, at some point, it was necessary for some identifiable
entity to pay for an Internet Service Provider account and, usually, a phone
or cable connection, to get access to the Internet public access WLAN
facilities for the first time allow a user with nothing more than a laptop
computer and a wireless LAN card to access the Internet. In otherwords, however tenuous this concept may have been during the days
of conventional, wireline Internet access (as, it has always been possible to
fake an identity), public WLAN access now makes the concept of identifying
a network attacker nearly impossible, especially in real time.
While anonymity has many legitimate functions, viewed in the WLAN
context, enterprise IT administrators now have to contend with unidentifi-
able attackers who can (for example) use a public WLAN access point for
however brief an interval it takes to launch a denial-of-service attack,spam
e-mail flood, intrusion attempt or other inappropriate use session, afterwards
immediately disconnect and never thereafter have any other association with
the TCP/IP address or access point from which these malicious activitiestook place.
In some ways, this may be more of an exposure for the provider of the public
WLAN access infrastructure than it would be for the directly aggrieved
party, since if such an attack is traceable at all, the path would lead back to
the public WLAN access point from which the attack was launched. But
either way, it is a new issue that must be considered in protecting enterprise
LANs from external attacks.
-
8/2/2019 Securing Wireless Local Area Networks
10/18
Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper
10
WEP:Weaker than Ever Protection
When WiFi (802.11x) wireless LANs were first invented, the creators
of the 802.11x protocols were not totally ignorant of the unauthorized
use risk posed by unsecured wireless access points.To provide a measure
of security against these risks, they invented Wired Equivalent Privacy
(commonly referred to as,WEP), a low-level data encryption system
designed especially for wireless security purposes.
Basically,WEP provides wireless data traffic confidentiality via encryption
of MAC (Media Access Control, in OSI reference model tech-speak)-level
data streams.Theoretically, a properly implemented WEP-enabled access
point can deny access to any wireless client that does not have a shared
authentication key, and once a client has thus been correctly authenticated,
it can encrypt the client/access point data stream in near real-time so that
attempts to remotely sniff the contents of TCP/IP packets are futile.
Unfortunately,WEP has many known vulnerabilities.Among these are:
Problems with key generation (at the time WEP was created, the U.S.
government had made the export of encryption keys longer than 40 bits
illegal on the grounds that they were weapons of mass destruction, although
later implementations of WEP have longer keys) and distribution;
Weak IVs (Initialization Vectors), which make key cracking inappropriately
easy (even for the 128-bit and larger WEP key implementations);
A too-predictable CRC-32 packet integrity check algorithm;
A wide range of freely available hacker tools to break WEP encryption itself;
Many of the wireless access points (for example consumer market wireless /
broadband Internet routers) which do implement WEP, do not provide themanagement tools needed to enable good security practices such as frequent
key changes.
Taken as a whole, these issues amount to the fact that whatever the initial
claims made of it,WEP encryption alone cannot be relied upon to provide
security for wireless 802.11x networks.
A successor to WEP, called WPA (Wi-Fi Protected Access), which will
resolve many of the known vulnerabilities in WEP, is currently in the final
stages of definition by the IETF and will probably become available within
the late 2003 to mid-2004 time scale.While, obviously, transitioning to the
new WPA standard will be desirable in the long run, for the time being
WEP will remain the best available confidentiality tool for WLAN data
streams, so IT security managers will have to plan their strategy to take its
vulnerabilities into account.
-
8/2/2019 Securing Wireless Local Area Networks
11/18
Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper
11
How to deploy secure WLANs
The following section gives some practical steps on how to secure your
WLAN.
Do a threat/risk analysis (TRA): Review your organizations real business and
technical security requirements, so you know what resources are most likely
to be attacked, as well as what the consequences would be if each data
element or resource were compromised.
Without undertaking this crucial step, it is impossible to properly secure
your enterprise LAN, since you may be over-securing low-sensitivity
resources while under-securing resources that are critical to your business.
As an example of this, if your enterprise LAN contains a mixture of
low-bandwidth 1x RTT (cellular) and 802.11x-connected PCs, your
available IT security manpower cycles may be better spent on the latter
rather than the former (cellular networks have a degree of authenticationsecurity built in at the billing account level, and in any case, their metered
costs and relatively low bandwidth gives mobile users an incentive to
restrict use of the resource, thereby mitigating the risk of data compromise).
Architect a secure wireless solution: Design an appropriate, secure wireless
scheme that meets your users needs.A system which leaves important
functions for example, the ability to access home-based wireless networks
completely unaddressed, will likely be bypassed by end users resulting
in no security at all.
Also, the word architect, as used in this context, is a verb; your IT
staff should spend the time to draft a valid WLAN architecture for
your enterprise, not leave this function to ad hoc infrastructure growthengineered by end users. (If end users have no official WLAN architecture
to adhere to, they will adhere to whatever is most convenient for them
at the time.)
Roaming: Propose an effective roaming solution that extends the network
beyond the office.
The point here is to realize that wireless LAN access particularly, wireless
802.11x-related infrastructure deployed in residential or airport hotspot
contexts is here to stay; attempts to prohibit it, or to ignore it and hope
the problem goes away (it wont), are likely to be futile.
If your IT staff is able to get out in front of the curve and propose awireless roaming system that will enhance end user convenience, the
chances are much greater that you will get the co-operation of end users
when the time comes to implement strong security.
-
8/2/2019 Securing Wireless Local Area Networks
12/18
Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper
12
Use WEP but dont expect miracles of it: Wired Equivalent Privacy (or WEP)
authentication and encryption is not perfect, but using it is far preferable to
having no wireless encryption protection at all. So enable it for all the
access points that support it.
Think of the analogy with the lock you use to secure the front door of
your house, or the lock on your car door.Both of these can certainly be
defeated, and this happens every day across the country; but the mere
presence of a lock is known to deter thieves,who for the most part would
prefer to attack targets that are less well defended.WEP can work in exactly
the same way for wireless LANs, encouraging attackers to go after someone
elses network.
Furthermore, it should be noted that although it is indeed possible to break
or circumvent WEP-based wireless security, doing so is particularly for its
128-bit and longer versions a much less straightforward task than some
alarmist media stories would have one believe.
There are many reasons why this is the case, but as an example, most
WEP-hacking programs currently (July 2003) available run only over
various versions of the Linux, OpenBSD or other non-Windows operating
systems; thus, to use most of these, an intruder must acquire and install a
completely new operating system on his or her computer. (And, possibly,
recompile the hacking program from C++ source code, itself a non-trivial
task.) Then, the intruder must have at least some understanding both of
low-level TCP/IP data concepts and of encryption concepts, must have
both the time (possibly as much as a day per attempt) and the circumstances
(e.g. a car or van to park discreetly while attempting to break a WLAN-
secured access point) and, finally, the disposition (in particular, a good dealof patience) to carry the intrusion attempts through to fruition.
Impossible? No, but definitely a task that would deter many casual intruders
who are just nosy. But by not using WEP, you are making the task of
intrusion immensely easier, just as you would be by not placing a lock
of any kind on your homes front door.
So,WEP has a place to play in securing WLAN systems; just do not make
the mistake of making it your only 802.11x security technology.
As a side-note, wherever possible, your organization should invest in
WLAN access devices (e.g. access points, routers and network cards) that
either implement, or can conveniently be upgraded to implement, the
emerging WPA wireless security standard.While WPA is currently (July
2003) still a work in progress, it will eventually succeed WEP and solve
many of WEPs known vulnerabilities. Planning ahead to implement
WPA will eventually make the task of securing 802.11x-based WLANs
considerably easier.
-
8/2/2019 Securing Wireless Local Area Networks
13/18
Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper
13
Authentication is the key:The most significant vulnerability of wireless
LANs is the fact that, at the physical level, by definition they enable access
to anyone, authorized or not, within a WLAN access points radius of useful
signal strength. (As noted above, this is in contrast to the situation witha conventional LAN, where a user must have physical access to building
facilities to plug in to a 10BaseT UTP Ethernet cable.)
Thus, systems that ensure that only authorized users are allowed to get
a physical level connection at all to WLAN access points, are a critical
function of wireless LAN security policy (although, they are not, by
themselves, everything you need to secure a WLAN). Providing robust
authentication security for use of wireless access points will instantly stop
80% of intrusion attacks.
End-run WEP problems with RADIUS:An excellent, industrial-strength
solution to the WLAN authentication issues is an authentication
infrastructure that implements a RADIUS client/server architecture.
RADIUS, an IETF standard security management protocol first used for
dial-up access to Internet Service Provider modem pools, enables control
over which users can connect to your network, and over what resources
they can access.Wireless-optimized extensions to RADIUS can enable
wireless users to be strongly authenticated at access points using X.509
digital certificates.
There are currently two flavors of such RADIUS extensions that you
should consider:
EAP-TLS (Extensible Authentication Protocol-Transport Layer Security):This
is the security method used in the 802.1X client for Windows XP; it usesclient- and server-side certificates to perform authentication; dynamically
generated user- and session- based keys are distributed to secure the
connection.
PEAP (Protected Extensible Authentication Protocol): Protected EAP is an
extension of EAP-TLS which provides certificate-based mutual authentication
of the client and network.Unlike EAP-TLS, PEAP requires only server-side
certificates, eliminating the need to configure certificates for each WLAN
client.
The certificate-based client / server approach has many advantages. For
example, administrators can enforce policies on user sessions, to specify the
length of an encryption key and the time interval for its auto-renegotiation,and so on. Collectively, these features can negate most of WEPs known
vulnerabilities and exponentially increase the complexity and difficulty of
intrusion attempts.
Note that some configurations may require a specialized, RADIUS-
compatible client on each PC that will access the secure wireless LAN
infrastructure; so, in planning a network of this type, you should make
some allowance for remote roll-out, installation and provisioning issues.
-
8/2/2019 Securing Wireless Local Area Networks
14/18
Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper
14
Install, configure and test: Build and configure WLAN authentication
servers using best security practices. Install, configure and test hardware
and software.
In particular, dont assume that security equipment and software actually
does what it claims to do oversights such as a certain type of wireless
router returning the administrator password in cleartext, when a certain
SNMP call is made to it, or storing sensitive WLAN configuration
and authentication data in a client PCs Windows Registry in completely
unencrypted format, are uncommon but are definitely there, and the
hackers all know about them.
Either have your own IT department, or (better yet), hire a third party to
attempt to break or bypass whatever WLAN security features you have
implemented.You may be surprised what you find out about the equipment
that you thought was bullet-proof.
The problem (partly) starts at home:As noted above, from the perspective
of an attacker, unsecured, home-based WLAN access points may be
considerably more attractive targets than would be the likely better-
protected assets at an enterprises business offices.
There may be little that your organization can (or should) do to prevent or
restrict the ways in which employees use their own computers at home. But
there are ways in which you can mitigate this risk, from both wireless and
conventional remote access perspectives.
Require, or at least make available, more sophisticated, multi-factor methods
of user authentication than just usernames and passwords (which are too
easily compromised by basic hacking techniques such as keyloggers, IP packetsniffing, etc.) for access either to employee home computers or corporate
resources.Among the advanced authentication methods available today are
X.509 digital certificates, USB keys, smart cards and biometrics.
Use of any one or combination of these systems will make the task of an
intruder significantly more difficult, because simple interception of a password
via a compromised residential WLAN will no longer be sufficient to enable
subsequent compromise of the enterprise LAN as a whole.
If possible, implement a VPN (Virtual Private Network) system to secure the
datastream between remote/home-based client PCs and central enterprise data
resources. Properly-configured VPNs, particularly if combined with more
sophisticated methods of multi-factor user authentication, can provide good
protection for corporate resources, even if a residential WLAN access point is
itself compromised to give an intruder access.There are two main types of
VPNs: IPSec systems, which require installation and of client software, and the
newer SSL VPNs, which are entirely browser-based, making provisioning and
roll-out significantly easier (as well as more secure).
-
8/2/2019 Securing Wireless Local Area Networks
15/18
Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper
15
Provide, or encourage the use of, tools for good security practices on home
computers.Among these are software firewalls, anti-virus software and anti-
spyware software. Using such tools will make your entire enterpr ise network
more secure, in addition to complicating the task of a wireless intruder whowants to hijack a vulnerable home computer as an entry point for activities
such as a denial-of-service or virus injection attack.
Provide at least some security-related education for all employees, but
particularly those who may be using, or considering using, wireless networking
at home.An example of the types of advice you could give in such training
would be,every so often, have a quick look at your wireless router and cable
(or ADSL) modem; if your PC is turned off, but there is a lot of constant
data traffic on the router and the modem, this might indicate an unauthorized
connection contact your Security department.The more educated your
home users are, the better able they will be to recognize intrusions at an early
stage.
Attackers may want your bandwidth, not your data: Not all attacks against
enterprise WLANs may involve the usual security threats such as data
interception or password compromises.
For example, attackers may want access to your organizations infrastructure
for more mundane but still inappropriate purposes, for example trading
illegally copied media items (songs and movies) or software, creating a
launching point for mass spam mail blasts, storing pornography or simply
free Web surfing.
While these types of attacks did exist prior to the inception of WLANs,
they are a far more attractive proposition nowadays because an wirelessintruder may not have to bypass a firewall.You should consider, and protect
against, this risk in designing your organizations WLAN strategy.
Manage and support: Review your WLAN support options to meet the
needs of your internal customers.Adjust these options to take into account
changing needs, especially at the residential and home networking levels.
The easier that it is for users to access your support resources to get answers
to security-related concerns, the more likely it will be that your users will
adhere to whatever wireless security policy your organization has decided
upon.
-
8/2/2019 Securing Wireless Local Area Networks
16/18
Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper
16
The details of implementing WLAN security
To protect your wireless LAN network from attack, the following best
practices are recommended:
1. Educate employees about WLAN risks, especially about how to recognize an
intrusion or suspicious behavior. Security-aware end users are perhaps your
best line of defence against intrusion.
2. Prohibit or restrict unauthorized attachment of wireless access points (rogue
access points).
3. Employ a third party managed security services company to constantly
monitor your network security infrastructure for signs of an attack or
unauthorized use.
4. Deploy strong authentication (X.509 digital certificate, USB token, smart card
and/or biometric) for all of your IT resources, wireless and wireline alike.
Doing so will tremendously complicate the task of wireless snoopers,
because interception and possession of a compromised password will nolonger allow them to access protected resources and data sets.
5. Prohibit or restrict use of 802.11x WLAN cards in ad hoc mode, especially
when in public areas or any building with perimeter less than the WLAN
broadcast range.
6. Ask users to connect only to known access points; masquerading access points
are more likely in unregulated public spaces.
7. Deploy personal firewalls, anti-virus software and spyware blockers on all
corporate PCs, particularly laptops and computers using the Windows
operating system. Use corporate network security policy to enforce the
continuous use of these assets and train employees to recognize when a
problem is detected.
8. Actively and regularly scan for rogue access points and vulnerabilities on the
corporate network, using available WLAN management tools.
9. Change default management passwords and, where possible, administrator
account names, on WLAN access points.Also,make sure to disable or secure
other potential leak-points of confidential configuration data for example
Telnet access or auto-responses to SNMP queries, etc. that might be of
value to a hacker trying to glean information about your network from a
wireless access point.
10. Change the default SSID on all access points, and allow the access points to
broadcast their SSIDs.This enables users to easily identify the access point to
which they are connecting and only present the necessary credentials. It may
be a good idea to make the SSID of an access point something that misleads
attackers about the value of the data behind it; for example, an access point in
a bank could be named COFFEESHOP instead of BANKSECRETS.
11. Turn on and use encryption (128-bit TKIP or higher WEP if your
equipment supports it).TKIP provides protection against the dr ive-by
snooper or unintentional visitor, but it should always be used with other
measures in a corporate environment.
-
8/2/2019 Securing Wireless Local Area Networks
17/18
Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper
17
12. Use strong security for other data resources such as laptop or desktop data
files and e-mail messages and attachments. (For example, desktop encryption
solutions can range all the way from simple Windows-based EFS encryption
to more advanced, flexible and platform-independent third party solutions,while X.509 digital certificates offer a very cost-effective way of securing
e-mail.) The reason, again, is to create a layered security system, so that
an intruder who somehow manages to defeat your organizations WLAN
security still has additional barriers to cross to do real damage.
13.When deploying 802.1X infrastructure to implement dynamic encryption
keys (for example with a RADIUS-based authentication system), configure
the session key update for at least once per hour to minimize the chance of
key repetition.
14. Make sure that your RADIUS server has a valid server certificate for network
authentication to all valid users and devices.
15.Avoid placing access points against exterior walls or windows.
16. Reduce the broadcast strength of WLAN access points, when possible,to keep it within the necessary area of coverage only.Avoid coverage of
unintended areas such as parking lots.
17.When planning network design, use 802.1X-based port authentication
for wired switches and hubs to inhibit future addition of unauthorized,
user-attached access points.
18.Ask employees with home WLAN access points to change the authentication
and confidentiality keys of their broadband routers, etc., at least once per
month (once per week if your organization is very security-sensitive). It
may be cost-effective for your organization to purchase one example of the
consumer WLAN to broadband routers from the locally dominant vendors
(e.g. Linksys, SMC, Netgear, etc.) and have your IT staff create simple,
easily-understood corporate standard instructions as to how to do this, aswell as to offer residential WLAN phone support for inexperienced users.
All of these steps will help to reduce the home access point wireless LAN
vulnerability.
-
8/2/2019 Securing Wireless Local Area Networks
18/18
Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper
18
Summary
Wireless LANs are neither the inherently insecure demon that their
detractors depict, nor are they inherently secure enough to be implemented
in exactly the same way as conventional wireline LANs would be. But
because this technology is quickly gaining momentum from a consumer
acceptance perspective, it is imperative that your organization roll out its
WLAN(s) in a secure fashion.
Doing this may require only a few steps and types of security practice
and technology, or may require more, depending upon the nature of the
information being protected and the degree of security desired.And, its
important to note, some of the best practice steps you should use to
secure a wireless LAN are basically the same as would be the case for
a conventional network.Viewed in this context, the implementation of
a WLAN can be an ideal catalyst to improve the overall security of the
rest of your enterprise LAN or WAN.
The results will benefit users of both wireless and wireline infrastructures
and your organizations productivity will improve as well.
But start the process now, before your WLAN starts to broadcast things you
dont want the public to hear!
2003 VeriSign, Inc. All rights reserved.
VeriSign,the VeriSign logo, NetSure, and other trademarks, service marks, and logos are registered or unregistered trademarks of VeriSign and its
subsidiaries in the United States and other countries. All other trademarks belong to their respective owners. DS 037 0903
Copyright Soltrus,Inc., 2003. Limited permission is hereby granted to reproduce and distribute this document, provided that this notice of copyright
is included and that distribution is not for a commercial purpose.