Eight steps to secure the wireless network
- By Victor R. Garza
- Jan 12, 2003
Whether you are thinking about, already in the process of or have already deployed a wireless local-area network at your agency, a number of factors should always be on your mind. And if security isn't first on your list, it should be.
The fact is, a wireless network is no longer contained inside the walls or fence that would normally guard a network's infrastructure. Anyone with the right antenna can pull your network data right out of the air and, conceivably, from a good distance away.
So in light of the security risks, why bother with wireless LANs? One big draw is the ease and speed of installation. A wireless LAN can be deployed in a fraction of the time a wired LAN requires because no cabling needs to be laid beforehand. An existing network can be extended in a matter of minutes to locations that weren't previously possible.
During our testing, we were able to set up an access point (AP) and access network services in less than five minutes. With newer Ethernet switches that are capable of power-over-Ethernet, you don't need a separate power supply for the AP — just pull data and power off the Category 5 cable. Both the Cisco Systems Inc. Aironet 1200 Series and the 3Com Corp. AP 8000 we tested came with power-over-Ethernet out of the box.
Another major draw of wireless LANs is the flexibility that end users will encounter when they connect to the network. Just open a laptop, turn on the wireless client adapter and — assuming you are within range of an access point — you're in business.
There are downsides, of course, aside from potential security problems. Most notably, the throughput and reliability of the network connection decreases the farther away from the AP you get.
For this review, we tested several brands of access points and wireless client adapters with an emphasis on the security issues encountered in setting up and maintaining a wireless network.
There are a number of steps — we grouped them into eight — that anyone deploying a wireless LAN should take to secure a network. We found that some of the products we tested are better suited to larger deployments, while others are more appropriate for smaller installations.
Establish security policies
Starting with a solid security policy for your existing network is a priority when looking at any wireless deployment. After all, a wireless network is just an extension of a wired network and will use that network as its base.
What's more, having a solid wireless security policy before installing (or buying) a wireless network can help prevent the scope of the project from growing. Although a security policy is not the most glamorous part of a network project, it is the foundation for network management and should be a focus area before deployment.
Some modifications to security policies reflect the changes that a wireless addition to the network can make. This includes network documentation and educating users on the impact and challenges a wireless network can present. Proper training can ensure that everyone is focused on the safety of mission-critical data.
We further recommend that a security assessment be performed before and after a wireless LAN is deployed. This will help expose vulnerabilities before, during and after the wireless LAN is installed.
Keep in mind that there are two modes that wireless networks can run in: "infrastructure" or "ad hoc" mode. Infrastructure mode employs the model of a classic LAN with centralized servers providing data to hosts and the use of APs to connect wireless clients. An ad hoc network is simply a peer-to-peer network in which clients are connected directly to one another via their wireless client adapters.
We recommend employing only infrastructure mode, because there is little opportunity to enforce security when clients connect directly to each other.
Because we didn't want to enable ad hoc networking in our deployment, we were pleased to find that the 3Com and Proxim Inc. APs have settings for client-to-client blocking, which prevents clients associated with the same AP from communicating with one another. Of course, that strategy only works when the clients are within range of the AP.
Pretest the AP products you're considering deploying in a closed test environment to make sure all the pieces work together. If you're planning on creating a LAN-to-LAN bridge with APs, look into getting specific antennas to suit your need and distance requirements. The right antenna will ensure that you're broadcasting network information to a specific destination and not to surrounding areas.
If you want to create an environment in which a wireless LAN client can roam seamlessly from AP to AP, be sure to test this scenario in a similar environment to mimic any possible problems with coverage — such as cubicle and office walls that block or deflect signals or large motors that drown out the AP signal.
Find rogue devices
Before conducting a site survey to find where wireless APs should be deployed, it's important to find "rogue" APs — installed by users wanting to roam the building without being tethered to their desks — that may already be hanging off your network.
During our testing, we decided not to include Linksys Group Inc. and D-Link Systems Inc. AP products, which are inexpensive and usually transparent to network management products that rely on Simple Network Management Protocol discovery. Such APs can present a security problem by creating an easily hidden rogue AP network.
Because setting up an AP is relatively easy and rogue APs can be hidden almost anywhere (under a conference table or behind a computer monitor on a desk), finding rogue devices is extremely important.
AirMagnet Inc.'s AirMagnet handheld device was extremely useful in sniffing out rogue devices.
Conduct site surveys
A site survey will determine where APs should be placed and the coverage area for each AP. During the survey, you might find it useful to use a rolling bench with the AP attached to the top of a pole to find the best position and location for the AP and possible coverage obstacles.
Again, we recommend using a device such as AirMagnet to measure how the AP will work in the actual location.
For our testing, we used 3Com's 8000 rudimentary site-survey tool, which was able to find 3Com APs. It didn't offer bells or whistles but got the job done. Cisco offers a site survey tool for use with wireless Network Interface Card (NIC) clients and their APs, but we found it fairly rudimentary as well.
In terms of managing the AP coverage area, we were pleased to find that 3Com's, Cisco's and Proxim's products offer settings to increase or decrease AP signal strength, which we used to contain our wireless network perimeter.
Install the wireless LAN
After completing the site survey, we were ready for deployment. If you are deploying multiple APs in an area, it is important to think about overlapping coverage areas. Specifically, it's important to make sure that the channels on which the APs transmit and receive signals don't conflict with one another.
In our testing, we followed the general wireless LAN rule by employing a maximum of three co-located, nonoverlapping channels in a wireless LAN area.
Because there are 11 possible channels from which to choose, a good rule of thumb is to use channels 1, 6 and 11 on different, yet co-located, APs. Use a device such as the AirMagnet to check for possible overlapping channels and conflicts with other devices that use the same spectrum (such as microwave ovens and wireless phones) and adjust accordingly.
We appreciated the fact that products from 3Com, Proxim and Cisco searched out the appropriate channel on their own, so we didn't have to tweak settings.
Positioning APs so that their range is limited to a specific coverage area (for example, by placing an AP on an inside wall instead of an external wall) or using specialized antennas to focus the wireless coverage area is a good idea. However, be aware that just by changing your antenna to narrow the coverage area will not guarantee that someone with a focused antenna will not be able to pull your signal out of the air from the parking lot or outside the perimeter fence.
If coverage flexibility is important for you, look into the options offered by the products you're considering. The Cisco Aironet 1200 that we tested, for example, offered two dipole antennas for 802.11b connections that we could have changed to more focused antennas if appropriate.
The Aironet 1200 also had an integrated 802.11a patch and omnidirectional antennas. The 3Com 8000 series that we tested also had two removable dipole antennas for 802.11b support, and 3Com's Web site has other antenna types available for specific environments.
We're still undecided on the way that Proxim handles the antenna issue. Instead of an antenna, the Proxim AP employs a standard client wireless NIC that fits into the top of the unit. According to Proxim officials, this allows the product to be more flexible because the two slots on the AP allow for 802.11b, 802.11a or both cards to be installed simultaneously.
We did note that the Proxim 802.11a card comes with an expansion antenna connected to it. Although this configuration allows for greater flexibility for future 802.11 expansion, it seemed somewhat inefficient and limiting because there wasn't a connector for adding an external antenna if we needed to. We were, however, impressed overall with the coverage area from the Proxim AP, even without a dipole antenna.
We took a look at U.S. Robotics' AP to see how well it fared against its enterprise brethren. (Intel Corp.'s product didn't arrive in time for this article.)
We found that USR's wireless NICs are fairly common, relatively inexpensive and easily deployed in a wireless LAN. USR's AP doubles the speed of its previous product's standard 802.11b AP and wireless NIC combo from the common 11 megabits/sec to 22 megabits/sec. Although USR's AP is not designed for large-scale deployments, it was the easiest and fastest to install, with an intuitive and informative software front-end and AP management page.
Like the USR device, Proxim's Orinoco AP-2000 also has the ability to run at higher speeds than its competitors — up to 108 megabits/sec with its 802.11a wireless NIC and AP combination.
During the deployment phase, Dynamic Host Configuration Protocol (DHCP) servers can also be useful for providing IP addresses just for your wireless LAN clients. Because more wireless LANs are using flatter networks (and not going across router boundaries) to facilitate roaming from one AP to another while still maintaining connectivity, it is useful to provide DHCP services.
Setting up a DHCP server for wireless LAN clients on the wired side of the network behind a firewall can also enhance security. It is important to use appropriate measures to manage DHCP servers, such as creating DHCP ranges specifically for wireless LAN clients, managing lease times, and limiting and monitoring the number of IP addresses in a range. Configured that way, DHCP servers can be just as effective as using static IP addresses to enhance wireless LAN security.
Check encryption settings
All the hype about wireless security concerns seems to revolve around the default Wired Equivalent Privacy (WEP) protocol, which uses encryption and a shared key to provide link-level data security for the wireless connection and the wireless LAN segment network name — known as the Service Set Identifier (SSID) or Extended Service Set Identifier.
One problem is that many installations don't even turn on WEP, which is the most basic form of AP security. We recommend using WEP with 128-bit keys, or even better, use a product that has a revolving WEP key, sometimes called fast-key switching, such as those made by Cisco, 3Com or Proxim.
USR's product doesn't have a revolving WEP key, but the company does have a 256-bit key scheme that works between the company's AP and wireless NIC. Remember that with any scheme more secure than 40-bit key encryption, you may be limited to using one vendor's client cards with that vendor's AP.
Next, make sure you change all default settings immediately. Change WEP keys frequently, don't use weak or easily guessed keys, and use fast-key switching, if available.
Make SSID names easy to remember but not too easy for an outsider to figure out. For example, attackers know default SSIDs for common devices (Cisco's default SSID is "tsunami," and 3Com's is "3Com"), and the AP broadcasts this information. We changed our AP SSIDs to cryptic yet internally documented and relevant names.
Next, configure your APs to refrain from broadcasting their SSIDs. Most APs come configured to broadcast SSID names, which is bad if you're concerned about security. If you turn off the broadcast features — though not every AP allows you to do so — clients can still connect if they know the name of the AP, while casual interlopers will fail to see the network.
When adopted sometime in 2003, the IEEE 802.11i specification will shore up security deficiencies in WEP, including replacing WEP's use of RC4 encryption with the more robust Advanced Encryption Standard algorithm. Unfortunately, this new security enhancement looks like it may require, in some cases, chucking out your old APs for new ones that support 802.11i.
Evaluate and install monitoring and management tools
Cisco, Proxim and 3Com offer products that are worthy of being deployed in larger environments and are strong in security capabilities, but those products still need help to fully secure a wireless LAN environment. We believe they would benefit from better network management and deployment tools. 3Com's Network Supervisor is one exception, because it delivers a set of management tools that are packaged with the product.
Restricting physical access to the AP is also important. Otherwise, you may make it possible for someone to reset the AP and clear the security settings. During tests of the 3Com 8000, we found a reset button at the bottom of the AP that, when held with a paper clip for five seconds, reset the AP's configuration to factory defaults. Proxim's unit had reset and reload buttons, but the unit's case had to be removed before the buttons were revealed.
Because most APs just act like wireless hubs, they can allow a single wireless LAN client to monopolize the entire AP's bandwidth. We were pleased to see load balancing offered with 3Com's and Proxim's APs. Cisco provides load balancing on the wireless NIC client by directing the client to the appropriate AP using a mix of signal strength, number of users and bit error rate on the AP. 3Com's wireless NIC client software has autonomous load balancing and will search for the AP with the least amount of traffic and not necessarily the highest connection speed to optimize network throughput.
Segmenting the network with virtual LANs is a good idea for restricting network management access to the APs. And segregating the management network from the data network is always a good idea. We were able to do this with the Cisco and Proxim APs, making sure that the traffic the AP receives is tagged with the management virtual LAN identification and blocking rogue APs and wireless NICs from managing our APs.
When looking into deployment of APs, we found that using a single vendor's AP for deployment across the agency or department eases management headaches considerably.
In our testing, we deployed a single vendor's product across an agency. IEEE's 802.11f specification deals with the issue of multivendor AP interoperability, specifically as it relates to roaming. We hope that in the future this will allow an agency to use multiple vendors' APs without worrying about whether a wireless NIC will drop its connection when moving from one vendor's AP to another.
Deploy firewall and VPN
At a minimum, install firewalls between your wired and wireless networks. We blocked unneeded services and ports (such as FTP and Telnet) from the wireless LAN with our firewall rules and used cryptographic measures whenever possible.
A virtual private network infrastructure supporting at least the IPSec security protocol is a must for the wireless LAN, because it creates a secure tunnel from the firewall to the wirelessly connected laptop or client. This is especially important if staff members are going to be using public wireless LANs such as those in hotels or other public places.
When it comes to monitoring attack traffic, an intrusion-detection system that is specifically configured for wireless LANs may also be a good idea for automated monitoring of networks and inevitable intrusions.
We've only come across one intrusion-detection system specifically for wireless LANs, but a system placed between the AP and firewall and in front of the wired network may also suffice. A client-side intrusion-detection system may also be a good idea. Unfortunately, intrusion-detection systems cost extra and require staff resources for log monitoring.
Creating a media access control list can also limit intrusions. Although it doesn't stop intruders from impersonating a valid wireless NIC, it can slow an attack. On the downside, it can be cumbersome to manage access control lists in a large environment without additional tools.
By their very nature, wireless networks present greater security challenges than wired LANs. But if you use these eight steps as a base and work with third-party products for additional encryption, authentication and VPN support, there's no reason that an 802.11 network can't be used for mission-critical data.
And remember that 802.11 networks can be deployed in a short time and in environments that have not traditionally been conducive to LANs. Additionally, wireless LANs are valuable to employees who need access to network resources but can't be tethered to a traditional LAN.
Garza is a freelance author and network security consultant in the Silicon Valley area of California. Lt. Cmdr. Joseph L. Roth of the Naval Postgraduate School contributed comments for this story.