How to secure the wireless fortress
Here’s what you must do to protect your WLANs
- By Maggie Biggs
- Jun 26, 2006
Wi-Fi Alliance Web site
What’s not to love about wireless local-area networks? The hardware is relatively inexpensive, particularly when compared with the costs of traditional wired network hardware. Moreover, WLAN speeds have improved so much that most users won’t notice a slowdown compared with wired networks’ performance. Finally — and best of all — you get to lose all those pesky wires.
So what’s the downside of WLANs? In a word: security. Or rather the lack of it.
Since the passage of the first wireless standards seven years ago, security has been a major thorn in the side of WLAN technology. When vendors tried to conform to the first approved wireless standards, they often produced solutions with disabled security features, default passwords that were easy to subvert, short cryptographic keys and no client authentication — among other problems.
Those early wireless products also lacked decent administration tools and interfaces, which caused many people not to enable security at all. Those factors increased the likelihood that the bad guys would have a pretty easy time accessing your WLAN to piggyback on your Internet connectivity or crack into your wired network. That last point is particularly important, because intruders taking advantage of early wireless configurations — attached to wired networks — could often easily cross your firewall undetected.
If you have existing wireless equipment — access points, client cards, etc. — that you purchased before late 2003, you should wipe out the configuration information and remove them. Those early products used Wired Equivalent Privacy (WEP) to enforce security, and the protocol is insecure.
WEP is not secure because it uses a static encryption key. Someone passively monitoring a wireless network could easily figure out the key. Moreover, publicly available tools, such as AirSnort, made this practice fairly common at the time.
In 2002, another wireless acronym — WPA, or Wi-Fi Protected Access — entered the lexicon partially because of all the security issues discovered with WEP. As the Institute of Electrical and Electronics Engineers began work on the proposed 802.11i standard to bolster security, the organization initially supported a WPA version based on early drafts of the forthcoming standard.
In June 2004, the 802.11i standard was finally adopted, and some refer to it as WPA2. If your agency has older 802.11g wireless equipment — circa late 2003 — those devices may support the early version of WPA. You might be able to update those devices by applying firmware that brings the device fully into compliance with the 802.11i standard. You can check with your wireless vendor or the Wi-Fi Alliance Web site to verify that your existing products or ones you may be evaluating fully support the 802.11i security measures.
The 802.11i standard provides more security advantages than earlier wireless protocols do. Its WPA2 support uses a stronger key management mechanism via Temporal Key Integrity Protocol. The TKIP support enables the automatic creation of encryption values derived mathematically
from a master key. The security feature handles the changed values transparently and automatically without the need for administrative intervention. That is a much better setup than the manual key creation that the early WEP protocol required.
Managing your wireless strategy
The latest wireless standards and protocols provide significant security improvements compared with previous technologies. However, ensuring that your agency is using wireless networking in a secure manner requires additional efforts.
For starters, managers need to define a solid wireless security policy. First, your security policy should identify who may — and may not — use wireless technology in the agency.
Next determine if Internet access is necessary.
Then define who can install, configure and maintain your wireless equipment.
You should also specify the physical security measures you will take to limit access to wireless equipment, such as wireless access points.
Also consider the type of information that you will allow to traverse your wireless network. Write detailed guidelines to define that information and the conditions under which wireless devices can connect to the WLAN.
In your wireless security policy, detail all hardware and software settings and provide specific standards that wireless administrators must adhere to for all wireless devices.
As with the security policy for your traditional, wired LAN, you will need to define a methodology for users to follow if a security breach occurs or someone loses or steals wireless client equipment. You can usually add incident reporting processes for wireless resources to the incident reporting structure you already use for your wired network policy.
As part of your wireless security policy, you should also define the intervals, scope and available tools with which your agency will conduct wireless security assessments. Several wireless security vendors, including Network Chemistry and Bluesocket, have tools that address assessments to ensure compliance and ongoing monitoring.
Finally, your security policy should include education for administrators so that they are aware of innovative technologies and new threats. In addition, you should identify steps for ensuring that all authorized wireless users understand the security policy, wireless usage rules and steps for reporting issues.
Improving security every day
From an operational perspective, wireless technology has some of the same security issues that other technologies do. For example, as with antivirus products, wireless products require patches and firmware upgrades. Administrators must consistently stay on top of those changes and test them before deploying them.
Some security techniques are relatively obvious. Regularly change all passwords and do not use the same passwords throughout the entire agency’s wireless hardware. Use strong passwords. Review audit logs daily.
At regular intervals — quarterly, at a minimum — inventory all wireless equipment, including client devices. Execute regular security assessments using tools that can alert you when device settings are out of agency compliance. Review physical security and your security policy at regular intervals, too. Assign technical staff members the task of staying current on all wireless trends so you can remain alert and vigilant about potential threats.
Deploying wireless technologies will always carry a certain level of risk. The best practices outlined here and in other wireless security documentation, if followed completely, can greatly reduce — but not eliminate — the likelihood of an attack or unauthorized access to your network.
Choosing the right wireless technology
One goal of setting standards for wireless equipment is knowing what you’re buying when you go shopping for wireless network pieces. If you buy an inexpensive wireless client at Office Depot that supports the 802.11i security standard, you can rest assured that it will work with your compatible access point that also supports that standard, regardless of the manufacturer.
But standards such as 802.11i establish only a floor, not a ceiling. Any 802.11i equipment must meet certain requirements specified in the standard, but specific brands of equipment could exceed those standards.
That’s why the majority of agencies will likely want to consider forgoing the immediate savings of discounted consumer equipment in favor of purchasing products from enterprise suppliers.
With enterprise wireless technologies from companies such as Cisco Systems and other network suppliers, the solutions provide additional tools designed for integrating, monitoring and managing larger installations. Although agencies might be able to integrate equipment from consumer-oriented equipment vendors, they likely would never reach the level of integration with management tools offered by enterprise vendors.
Biggs, a senior engineer and freelance technical writer based in northern California, is a Federal Computer Week analyst. She can be reached at email@example.com.