securing wireless local area networks

8/2/2019 Securing Wireless Local Area Networks

1/18

Securing Wireless Local Area Networks


2/18

Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper

CONTENTS

Introduction 3

Why wireless? 3

Types of wireless networks 4

The catch is 5

How we connected, before 5

How we (and the bad guys) connect now without wires 6

Its not safe at home, anymore 7

Ubiquitous and anonymous 9

WEP: Weaker than Ever Protection 10

How to deploy secure WLANs 11

The details of implementing WLAN security 17

Summary 18


3/18


3

Introduction

If the 1980s was the decade of the LAN and the 1990s was the decade of

the Internet, future historians may look back on the first decade of the

21st Century as the decade of Wireless Networking.

Although wireless LANs (WLANs, for short) are proliferating rapidly,

nowadays, this technology is scarcely ever discussed without mention of

security concerns. If your organization is planning to deploy a WLAN

or has already done so you should know the facts surrounding wireless

networks so you can use your WLAN in a secure manner.

This document will give a brief description of what wireless LANs are,

how the security concerns with them compare with those of conventional

computer networks and will detail some practical steps your organization

can use to deploy fully trustworthy WLANs. It is aimed at readers with

some prior knowledge of computer networking concepts, but anyoneinterested in wireless networking security will benefit by reading this

White Paper.

Why wireless?

The cost-effectiveness and flexibility of the wireless LANs of the 21st

Century, as an alternative to traditional wired networks, are ideal for mobile

workers.They allow access to real-time information and corporate resources

almost anywhere a mobile worker may be located, and with the growing

popularity of wireless hotspots, mobile workers can now connect to the

Internet at airports, hotels, restaurants, and other public places.Within the

last few years, access speeds for WLANs have started to approach thoseavailable for conventional wireline networks, making use of wireless

networking practical for mainstream business and consumer purposes.

The benefits of wireless networks dont end outside the office, because with

wireless networking, "the air around us is the cable". Even within modern

enterprise offices, workstation mobility, for example using a laptop PC in

a meeting room or changing a PCs location due to organizational changes,

is a fact of life. For those who need the flexibility to relocate a workstation,

WLANs negate the need for frequent physical wiring changes.This is not

just a convenience issue, as cabling changes can amount to a significant

burden on already-stressed MIS and IT department resources, on top of

the costs of the cables themselves.The result? Increased productivity as well as a more positive end-user

experience.


4/18

Types of wireless networks

Technically, a wireless network is any collection of end-points that can (at

least) receive, and (usually in an IT context) send, a signal or information

from or to a broadcast access point, without using wires.Viewed in this way,

your television set would qualify as a wireless network end-point, but for

the purposes of this White Paper, we will confine the context of the

discussion to computer-related wireless networks only.

There are many types of wireless computer networking technologies,

including:

RFID (Radio-Frequency IDentification) systems (there are many sub-varieties

of this technology class, mostly used for short-range industrial applications such

as warehouse stock movement tracking, typically with very small, fixed datasets

such as a SKU number, and so on)

Infrared/IRDA (line-of-sight low power optical networking) HomeRF (an older wireless PC networking standard that is rapidly

disappearing)

Bluetooth (and potential 802.15 IEEE standard to follow from it, low data rate

wireless networking mostly for connecting peripherals such as printers, PDAs

etc., but rarely used for LAN client purposes)

1x RTT, 3G and 2.5G cellular technologies (used by telcos for metered,

relatively location-insensitive, low-speed access to the Internet, up to about

40-60 kilobits per second or roughly slightly faster than a 56K dial-up modem)

WiFi (IEEE 802.11a, b, g and many other versions; the current standard for

relatively high-bandwidth wireless PC networking today, theoretically up to

speeds of 54 megabits per second but usually more in the 20 mb./sec. range)

Of all of the above technologies, the last two the various telco cellular

network connectivity systems and 802.11x* WiFi are by far the most

important for the purposes of this White Paper, because these systems

are both commonly used for remote LAN access today and are likely to

continue to be so used in the future.

We will concentrate particularly on 802.11x systems, since wireless

connectivity via the 1x RTT networks of the major telephone carr iers has

better inherent resistance to intrusion due to the way in which access is

administered (although, it is still theoretically vulnerable to compromise).

* Note:We will use the acronym "802.11X" (large "x") generically to describe the gamut of 802.11a, 802.11b,

802.11g, etc. sub-varieties, henceforth in this document.This should not be confused with the "802.1.x" RADIUS-based authentication system, which is also referenced below.


4


5/18


5

The catch is

Like many things in life, there is both good and bad in the location-independent

access capabilities that wireless networking enables.

Although issues of data speed (usually somewhat less than for conventional

wire-line LANs) and reliability (for example, ones 2.4 GHz wireless phone rings

and disrupts an 802.11 LAN session) can come into play, for WLANs the most

important question mark concerns security.

To understand the security r isks that are inherent in wireless networking,we have

to briefly review the history of networking itself as well as the security mechanisms

that evolved at each stage of this evolution.

How we connected, before

Traditionally, access to networked resources has been inextricably linked to aphysical connection to a network cable (usually, a blue 10BaseT UTP Ethernet

cable) of one sort or another.There has, up to now, simply been no other practical

way to connect ones own PC (or other device) to other computers.

In the 1980s, the computers that were connected in this way were mostly deployed

in small groups (workgroup LANs), and, in the relatively rare cases where large

numbers of computers were networked together, it was usually in the context of a

single-organization enterprise LAN where all of the endpoints were, ultimately,

controlled by the same company or public sector department. Nobody was allowed

to connect to the enterprise LAN unless he or she worked for the enterprise.

Security issues were mostly limited to problems with disgruntled employees,

although near the end of the 1980s, dial-up remote access to enterprise LANscreated a need for basic authentication functions.The security mechanism used

during this period was mostly basic passwords, sometimes with enhancements such

as forced password length or per iodic forced password changes.

In the 1990s, the advent of the Internet changed this paradigm. For the first

time, enterprise networks were interconnected with, and therefore exposed to,

computers owned by entities that enterprises might have no knowledge about,

much less administrative control over.While the Internet, as the worlds ultimate

heterogeneous network, brought about a tremendous increase in convenience,

functionality and accessibility to information, this same connectivity also introduced

the wide range of security issues ranging from unauthorized access to viruses to

Internet fraud that most IT directors are now all too familiar with.


6/18


6

However, even in the late 1990s, enterprise IT security personnel had at least one

line of defense to fall back on. Intruders generally had only one convenient avenue

of access to internal enterprise LANs that is, through whatever part of the

enterprise network infrastructure (usually, a high bandwidth cable such as a T-1 orleased line) connected to the organizations ISP (Internet Service Provider) and

therefore to the Internet as a whole. One could envision this as an office tower

with only one huge door at the front; to get inside, an intruder would have to get

past the security system (e.g., a firewall, which was the defining security system of

the early Internet era) posted at this door.

While malicious attempts at unauthorized access or other inappropriate use of

resources (for example attempts to find unsecured OS services on open IP ports,

or denial of service attacks) through this entry point can and do occur, at least

it is only one entry point to guard; there is little chance of an intruder physically

finding his or her way inside (say) the headquarters of a bank and then attaching his

or her PC to the enterprise LAN via a 10BaseT network cable connected to a

local Ethernet hub or router. (Presumably, were such an event to occur, other office

workers would detect the presence of the intruder before any real damage were to

be done, perhaps from the trail of empty Pizza boxes and soft drink cans or the

Kaos Komputer Klub Rulez!T-Shirt )

How we (and the bad guys) connect now without wires

Wireless networking changes all this. For the first time, an intruder does not have

to have any physical access at all, in order to at least attempt to plug in to the

same enterprise connectivity access points that legitimate users do it is perfectly

possible for an intruder to sit in the lobby of an office building, set his or her

wireless client (or hacking) software to search for local wireless access points, find

one and attempt to connect.

A good way to imagine this is, think of an 802.11 wireless access point as an

Ethernet hub with a million ethereal 10BaseT cables connected to it, free for the

connecting by anyone within a 50 to 300 meter radius.

Improperly secured WLAN access points may have been intentionally, but

incorrectly, installed by an enterprises IT staff. However, nowadays increasingly

low prices of consumer-level wireless networking equipment have lead to the

attachment of rogue (unsanctioned) WLAN access points to enterprise networks,

in other words, end user-installed, unsecured WLAN access points that the

organizations MIS and/or security staff may not even know exist.

While rogue Ethernet hubs, etc., have historically been a fact of life for large

corporations and public sector departments, unlike the case with a conventional

LAN connection device, using wireless technology an unsanctioned access point

can be accessed by someone completely outside the physical premises of the

organization.


7/18


7

If an intruder is successful in finding and connecting to an inadequately

secured wireless access point (wandering a neighbourhood looking for open

WLAN access points is called war driving, in hacker slang), he or she

now has exactly the same ability to access internal enterprise resources, forexample servers or the data on them, that a legitimate office worker would

have.And since, by definition, an internal LAN is behind the firewall,

Internet barrier security mechanisms such as firewalls, bastion servers, or

proxy servers will be mostly ineffective against such intrusions. Attacks

against external targets launched with this type of inappropriate access

will appear to come from the organization that owns the conventional,

Internet-attached LAN because, of course, they do come completely

from within the organizations own TCP/IP address range.

Taken together, all of these factors amount to a difference of kind, not just

degree, in the types of intrusion threats that modern IT security managers

must cope with in the WLAN era.

Its not safe at home, anymore

Another likely attack against inadequately secured wireless access points is

equally troublesome, but is much less well understood.

In the early days of wireless networking,WLAN hardware that is, wireless

access hubs, routers and network interface cards was expensive and com-

plex to install and configure.Additionally, standards were poorly defined, so

(for example) it was necessary to use the same vendors wireless NICs with

that vendors access points; without doing so, chances of connectivity were

poor.Thus, in most cases,WLANs were deployed only by experienced ITstaff, within the relatively controlled contexts of enterprise (business) LANs.

However, in the last two to three years, affordability and user-friendliness

for this technology have migrated down to the consumer level. It is now

perfectly possible for even an uneducated computer user to connect his or

her wireless access point to a broadband Internet (DSL or cable) modem,

insert a wireless LAN adapter (even that of a different vendor) into a laptop

and, with little or no extra configuration required, start happily surfing the

Internet without any physical cable between the client PC and the access

point.

For most consumers, the convenience that this auto-configuration provides

is what makes the WLAN infrastructure attractive in the first place. Mostcasual home networking users have little or no understanding of IT security

concepts, much less any interest in implementing what are, to them,

complex and unnecessary configuration steps that add nothing to their

computer use experience


8/18


8

Unfortunately, hackers and other intruders are only too aware of the many

vulnerabilities for example, default SSID (Service Set Identifier, the

string that identifies a wireless access point to wireless clients) identifiers

(the default SSID for a NetGear 802.11 WLAN router is,NETGEAR),or weaknesses in WEP encryption standards created by the plug-and-

play philosophy of consumer-level wireless networking equipment.Against

an even moderately experienced hacker, most residential wireless networks

are very vulnerable to unauthorized intrusion and access.This exposure is

made worse by the fact that enterprise IT administrators have little or

no control over how residential WLAN equipment is installed and / or

configured, assuming that they even know that it has been deployed.

If society had maintained the work patterns of the 1980s or even early

1990s, the possibility of compromises against home-based WLANs would

still be a problem, because the consequences of unauthorized access for

example, stealing credit card numbers or passwords to personal bankaccounts, denial of service or inappropriate use attacks such as hidden

pornography sharing launched from someone elses broadband entry point,

etc. could be serious for the victimized individual or family.

But in the early 21st Century, work patterns have changed and working

from home is a familiar concept, even for senior private and public sector

managers who must have constant access to sensitive internal information.

Thus, looking at the situation from the perspective of a potential intruder,

the easiest way to compromise an enterprise LAN may not involve

attacking its center point (e.g., the organizations business offices) at all.

Rather, an intelligent intruder might use a social engineering attack (or,

perhaps, simply use a phone book) to find out where a senior managerlives, park an automobile discreetly somewhere near by, set up his computer

to search for an inadequately secured wireless access point installed at the

managers house and then attack this access point.

The risks of this type of compromise are severe for several reasons.The

most obvious of these is simple unauthorized access to corporate passwords

and potentially confidential business information, but there are more subtle

risks as well. For example, a compromised residential wireless access point is

an ideal and (for the intruder) anonymous entry point for introduction of

an Internet virus, spam e-mail or denial of service attack, with the hapless

legitimate owner of the endpoint being blamed if such attacks are ever

traced.

Furthermore, even if sensitive corporate information within central IT

resources (for example a head office file server) is protected by a secondary

data security mechanism such as file encryption, most home-based PCs

which could be directly attacked via a compromised WLAN do not have

this kind of protection, even if they are used for convenience purposes to

store confidential information.


9/18


9

For example, the peer-to-peer networking features of Microsofts Windows

XP Home OS, by default, do not provide even password-based protection

for shared directories; an intruder on a compromised WLAN would have

wide open access to a shared My Documents folder, in this scenario.(Such a location would be a perfect place for an attacker to locate a virus,

a distributed denial-of-service zombie program, a password harvester or

other OS-level compromise.)

And home-based computers may be used by children or other individuals

with little or no security awareness, leading to a raft of potential compromises

such as spyware, keyloggers, viruses or other client-based vulnerabilities.

Clearly, the problem of inadequately secured residential WLANs is one that

enterprise IT security staff need to take seriously and address immediately.

Ubiquitous and anonymousA secondary issue associated with WLANs, especially 802.11x-based WiFi

networks, is that this type of infrastructure can provide the ultimate in

anonymous Internet access, especially when provisioned via wireless access

points that are available for free use by the public. (This type of deployment

is becoming an increasingly common value differentiator for some types of

businesses, for example coffee shops, restaurants, airlines and so on.)

Unlike the past where, at some point, it was necessary for some identifiable

entity to pay for an Internet Service Provider account and, usually, a phone

or cable connection, to get access to the Internet public access WLAN

facilities for the first time allow a user with nothing more than a laptop

computer and a wireless LAN card to access the Internet. In otherwords, however tenuous this concept may have been during the days

of conventional, wireline Internet access (as, it has always been possible to

fake an identity), public WLAN access now makes the concept of identifying

a network attacker nearly impossible, especially in real time.

While anonymity has many legitimate functions, viewed in the WLAN

context, enterprise IT administrators now have to contend with unidentifi-

able attackers who can (for example) use a public WLAN access point for

however brief an interval it takes to launch a denial-of-service attack,spam

e-mail flood, intrusion attempt or other inappropriate use session, afterwards

immediately disconnect and never thereafter have any other association with

the TCP/IP address or access point from which these malicious activitiestook place.

In some ways, this may be more of an exposure for the provider of the public

WLAN access infrastructure than it would be for the directly aggrieved

party, since if such an attack is traceable at all, the path would lead back to

the public WLAN access point from which the attack was launched. But

either way, it is a new issue that must be considered in protecting enterprise

LANs from external attacks.


10/18


10

WEP:Weaker than Ever Protection

When WiFi (802.11x) wireless LANs were first invented, the creators

of the 802.11x protocols were not totally ignorant of the unauthorized

use risk posed by unsecured wireless access points.To provide a measure

of security against these risks, they invented Wired Equivalent Privacy

(commonly referred to as,WEP), a low-level data encryption system

designed especially for wireless security purposes.

Basically,WEP provides wireless data traffic confidentiality via encryption

of MAC (Media Access Control, in OSI reference model tech-speak)-level

data streams.Theoretically, a properly implemented WEP-enabled access

point can deny access to any wireless client that does not have a shared

authentication key, and once a client has thus been correctly authenticated,

it can encrypt the client/access point data stream in near real-time so that

attempts to remotely sniff the contents of TCP/IP packets are futile.

Unfortunately,WEP has many known vulnerabilities.Among these are:

Problems with key generation (at the time WEP was created, the U.S.

government had made the export of encryption keys longer than 40 bits

illegal on the grounds that they were weapons of mass destruction, although

later implementations of WEP have longer keys) and distribution;

Weak IVs (Initialization Vectors), which make key cracking inappropriately

easy (even for the 128-bit and larger WEP key implementations);

A too-predictable CRC-32 packet integrity check algorithm;

A wide range of freely available hacker tools to break WEP encryption itself;

Many of the wireless access points (for example consumer market wireless /

broadband Internet routers) which do implement WEP, do not provide themanagement tools needed to enable good security practices such as frequent

key changes.

Taken as a whole, these issues amount to the fact that whatever the initial

claims made of it,WEP encryption alone cannot be relied upon to provide

security for wireless 802.11x networks.

A successor to WEP, called WPA (Wi-Fi Protected Access), which will

resolve many of the known vulnerabilities in WEP, is currently in the final

stages of definition by the IETF and will probably become available within

the late 2003 to mid-2004 time scale.While, obviously, transitioning to the

new WPA standard will be desirable in the long run, for the time being

WEP will remain the best available confidentiality tool for WLAN data

streams, so IT security managers will have to plan their strategy to take its

vulnerabilities into account.


11/18


11

How to deploy secure WLANs

The following section gives some practical steps on how to secure your

WLAN.

Do a threat/risk analysis (TRA): Review your organizations real business and

technical security requirements, so you know what resources are most likely

to be attacked, as well as what the consequences would be if each data

element or resource were compromised.

Without undertaking this crucial step, it is impossible to properly secure

your enterprise LAN, since you may be over-securing low-sensitivity

resources while under-securing resources that are critical to your business.

As an example of this, if your enterprise LAN contains a mixture of

low-bandwidth 1x RTT (cellular) and 802.11x-connected PCs, your

available IT security manpower cycles may be better spent on the latter

rather than the former (cellular networks have a degree of authenticationsecurity built in at the billing account level, and in any case, their metered

costs and relatively low bandwidth gives mobile users an incentive to

restrict use of the resource, thereby mitigating the risk of data compromise).

Architect a secure wireless solution: Design an appropriate, secure wireless

scheme that meets your users needs.A system which leaves important

functions for example, the ability to access home-based wireless networks

completely unaddressed, will likely be bypassed by end users resulting

in no security at all.

Also, the word architect, as used in this context, is a verb; your IT

staff should spend the time to draft a valid WLAN architecture for

your enterprise, not leave this function to ad hoc infrastructure growthengineered by end users. (If end users have no official WLAN architecture

to adhere to, they will adhere to whatever is most convenient for them

at the time.)

Roaming: Propose an effective roaming solution that extends the network

beyond the office.

The point here is to realize that wireless LAN access particularly, wireless

802.11x-related infrastructure deployed in residential or airport hotspot

contexts is here to stay; attempts to prohibit it, or to ignore it and hope

the problem goes away (it wont), are likely to be futile.

If your IT staff is able to get out in front of the curve and propose awireless roaming system that will enhance end user convenience, the

chances are much greater that you will get the co-operation of end users

when the time comes to implement strong security.


12/18


12

Use WEP but dont expect miracles of it: Wired Equivalent Privacy (or WEP)

authentication and encryption is not perfect, but using it is far preferable to

having no wireless encryption protection at all. So enable it for all the

access points that support it.

Think of the analogy with the lock you use to secure the front door of

your house, or the lock on your car door.Both of these can certainly be

defeated, and this happens every day across the country; but the mere

presence of a lock is known to deter thieves,who for the most part would

prefer to attack targets that are less well defended.WEP can work in exactly

the same way for wireless LANs, encouraging attackers to go after someone

elses network.

Furthermore, it should be noted that although it is indeed possible to break

or circumvent WEP-based wireless security, doing so is particularly for its

128-bit and longer versions a much less straightforward task than some

alarmist media stories would have one believe.

There are many reasons why this is the case, but as an example, most

WEP-hacking programs currently (July 2003) available run only over

various versions of the Linux, OpenBSD or other non-Windows operating

systems; thus, to use most of these, an intruder must acquire and install a

completely new operating system on his or her computer. (And, possibly,

recompile the hacking program from C++ source code, itself a non-trivial

task.) Then, the intruder must have at least some understanding both of

low-level TCP/IP data concepts and of encryption concepts, must have

both the time (possibly as much as a day per attempt) and the circumstances

(e.g. a car or van to park discreetly while attempting to break a WLAN-

secured access point) and, finally, the disposition (in particular, a good dealof patience) to carry the intrusion attempts through to fruition.

Impossible? No, but definitely a task that would deter many casual intruders

who are just nosy. But by not using WEP, you are making the task of

intrusion immensely easier, just as you would be by not placing a lock

of any kind on your homes front door.

So,WEP has a place to play in securing WLAN systems; just do not make

the mistake of making it your only 802.11x security technology.

As a side-note, wherever possible, your organization should invest in

WLAN access devices (e.g. access points, routers and network cards) that

either implement, or can conveniently be upgraded to implement, the

emerging WPA wireless security standard.While WPA is currently (July

2003) still a work in progress, it will eventually succeed WEP and solve

many of WEPs known vulnerabilities. Planning ahead to implement

WPA will eventually make the task of securing 802.11x-based WLANs

considerably easier.


13/18


13

Authentication is the key:The most significant vulnerability of wireless

LANs is the fact that, at the physical level, by definition they enable access

to anyone, authorized or not, within a WLAN access points radius of useful

signal strength. (As noted above, this is in contrast to the situation witha conventional LAN, where a user must have physical access to building

facilities to plug in to a 10BaseT UTP Ethernet cable.)

Thus, systems that ensure that only authorized users are allowed to get

a physical level connection at all to WLAN access points, are a critical

function of wireless LAN security policy (although, they are not, by

themselves, everything you need to secure a WLAN). Providing robust

authentication security for use of wireless access points will instantly stop

80% of intrusion attacks.

End-run WEP problems with RADIUS:An excellent, industrial-strength

solution to the WLAN authentication issues is an authentication

infrastructure that implements a RADIUS client/server architecture.

RADIUS, an IETF standard security management protocol first used for

dial-up access to Internet Service Provider modem pools, enables control

over which users can connect to your network, and over what resources

they can access.Wireless-optimized extensions to RADIUS can enable

wireless users to be strongly authenticated at access points using X.509

digital certificates.

There are currently two flavors of such RADIUS extensions that you

should consider:

EAP-TLS (Extensible Authentication Protocol-Transport Layer Security):This

is the security method used in the 802.1X client for Windows XP; it usesclient- and server-side certificates to perform authentication; dynamically

generated user- and session- based keys are distributed to secure the

connection.

PEAP (Protected Extensible Authentication Protocol): Protected EAP is an

extension of EAP-TLS which provides certificate-based mutual authentication

of the client and network.Unlike EAP-TLS, PEAP requires only server-side

certificates, eliminating the need to configure certificates for each WLAN

client.

The certificate-based client / server approach has many advantages. For

example, administrators can enforce policies on user sessions, to specify the

length of an encryption key and the time interval for its auto-renegotiation,and so on. Collectively, these features can negate most of WEPs known

vulnerabilities and exponentially increase the complexity and difficulty of

intrusion attempts.

Note that some configurations may require a specialized, RADIUS-

compatible client on each PC that will access the secure wireless LAN

infrastructure; so, in planning a network of this type, you should make

some allowance for remote roll-out, installation and provisioning issues.


14/18


14

Install, configure and test: Build and configure WLAN authentication

servers using best security practices. Install, configure and test hardware

and software.

In particular, dont assume that security equipment and software actually

does what it claims to do oversights such as a certain type of wireless

router returning the administrator password in cleartext, when a certain

SNMP call is made to it, or storing sensitive WLAN configuration

and authentication data in a client PCs Windows Registry in completely

unencrypted format, are uncommon but are definitely there, and the

hackers all know about them.

Either have your own IT department, or (better yet), hire a third party to

attempt to break or bypass whatever WLAN security features you have

implemented.You may be surprised what you find out about the equipment

that you thought was bullet-proof.

The problem (partly) starts at home:As noted above, from the perspective

of an attacker, unsecured, home-based WLAN access points may be

considerably more attractive targets than would be the likely better-

protected assets at an enterprises business offices.

There may be little that your organization can (or should) do to prevent or

restrict the ways in which employees use their own computers at home. But

there are ways in which you can mitigate this risk, from both wireless and

conventional remote access perspectives.

Require, or at least make available, more sophisticated, multi-factor methods

of user authentication than just usernames and passwords (which are too

easily compromised by basic hacking techniques such as keyloggers, IP packetsniffing, etc.) for access either to employee home computers or corporate

resources.Among the advanced authentication methods available today are

X.509 digital certificates, USB keys, smart cards and biometrics.

Use of any one or combination of these systems will make the task of an

intruder significantly more difficult, because simple interception of a password

via a compromised residential WLAN will no longer be sufficient to enable

subsequent compromise of the enterprise LAN as a whole.

If possible, implement a VPN (Virtual Private Network) system to secure the

datastream between remote/home-based client PCs and central enterprise data

resources. Properly-configured VPNs, particularly if combined with more

sophisticated methods of multi-factor user authentication, can provide good

protection for corporate resources, even if a residential WLAN access point is

itself compromised to give an intruder access.There are two main types of

VPNs: IPSec systems, which require installation and of client software, and the

newer SSL VPNs, which are entirely browser-based, making provisioning and

roll-out significantly easier (as well as more secure).


15/18


15

Provide, or encourage the use of, tools for good security practices on home

computers.Among these are software firewalls, anti-virus software and anti-

spyware software. Using such tools will make your entire enterpr ise network

more secure, in addition to complicating the task of a wireless intruder whowants to hijack a vulnerable home computer as an entry point for activities

such as a denial-of-service or virus injection attack.

Provide at least some security-related education for all employees, but

particularly those who may be using, or considering using, wireless networking

at home.An example of the types of advice you could give in such training

would be,every so often, have a quick look at your wireless router and cable

(or ADSL) modem; if your PC is turned off, but there is a lot of constant

data traffic on the router and the modem, this might indicate an unauthorized

connection contact your Security department.The more educated your

home users are, the better able they will be to recognize intrusions at an early

stage.

Attackers may want your bandwidth, not your data: Not all attacks against

enterprise WLANs may involve the usual security threats such as data

interception or password compromises.

For example, attackers may want access to your organizations infrastructure

for more mundane but still inappropriate purposes, for example trading

illegally copied media items (songs and movies) or software, creating a

launching point for mass spam mail blasts, storing pornography or simply

free Web surfing.

While these types of attacks did exist prior to the inception of WLANs,

they are a far more attractive proposition nowadays because an wirelessintruder may not have to bypass a firewall.You should consider, and protect

against, this risk in designing your organizations WLAN strategy.

Manage and support: Review your WLAN support options to meet the

needs of your internal customers.Adjust these options to take into account

changing needs, especially at the residential and home networking levels.

The easier that it is for users to access your support resources to get answers

to security-related concerns, the more likely it will be that your users will

adhere to whatever wireless security policy your organization has decided

upon.


16/18


16

The details of implementing WLAN security

To protect your wireless LAN network from attack, the following best

practices are recommended:

1. Educate employees about WLAN risks, especially about how to recognize an

intrusion or suspicious behavior. Security-aware end users are perhaps your

best line of defence against intrusion.

2. Prohibit or restrict unauthorized attachment of wireless access points (rogue

access points).

3. Employ a third party managed security services company to constantly

monitor your network security infrastructure for signs of an attack or

unauthorized use.

4. Deploy strong authentication (X.509 digital certificate, USB token, smart card

and/or biometric) for all of your IT resources, wireless and wireline alike.

Doing so will tremendously complicate the task of wireless snoopers,

because interception and possession of a compromised password will nolonger allow them to access protected resources and data sets.

5. Prohibit or restrict use of 802.11x WLAN cards in ad hoc mode, especially

when in public areas or any building with perimeter less than the WLAN

broadcast range.

6. Ask users to connect only to known access points; masquerading access points

are more likely in unregulated public spaces.

7. Deploy personal firewalls, anti-virus software and spyware blockers on all

corporate PCs, particularly laptops and computers using the Windows

operating system. Use corporate network security policy to enforce the

continuous use of these assets and train employees to recognize when a

problem is detected.

8. Actively and regularly scan for rogue access points and vulnerabilities on the

corporate network, using available WLAN management tools.

9. Change default management passwords and, where possible, administrator

account names, on WLAN access points.Also,make sure to disable or secure

other potential leak-points of confidential configuration data for example

Telnet access or auto-responses to SNMP queries, etc. that might be of

value to a hacker trying to glean information about your network from a

wireless access point.

10. Change the default SSID on all access points, and allow the access points to

broadcast their SSIDs.This enables users to easily identify the access point to

which they are connecting and only present the necessary credentials. It may

be a good idea to make the SSID of an access point something that misleads

attackers about the value of the data behind it; for example, an access point in

a bank could be named COFFEESHOP instead of BANKSECRETS.

11. Turn on and use encryption (128-bit TKIP or higher WEP if your

equipment supports it).TKIP provides protection against the dr ive-by

snooper or unintentional visitor, but it should always be used with other

measures in a corporate environment.


17/18


17

12. Use strong security for other data resources such as laptop or desktop data

files and e-mail messages and attachments. (For example, desktop encryption

solutions can range all the way from simple Windows-based EFS encryption

to more advanced, flexible and platform-independent third party solutions,while X.509 digital certificates offer a very cost-effective way of securing

e-mail.) The reason, again, is to create a layered security system, so that

an intruder who somehow manages to defeat your organizations WLAN

security still has additional barriers to cross to do real damage.

13.When deploying 802.1X infrastructure to implement dynamic encryption

keys (for example with a RADIUS-based authentication system), configure

the session key update for at least once per hour to minimize the chance of

key repetition.

14. Make sure that your RADIUS server has a valid server certificate for network

authentication to all valid users and devices.

15.Avoid placing access points against exterior walls or windows.

16. Reduce the broadcast strength of WLAN access points, when possible,to keep it within the necessary area of coverage only.Avoid coverage of

unintended areas such as parking lots.

17.When planning network design, use 802.1X-based port authentication

for wired switches and hubs to inhibit future addition of unauthorized,

user-attached access points.

18.Ask employees with home WLAN access points to change the authentication

and confidentiality keys of their broadband routers, etc., at least once per

month (once per week if your organization is very security-sensitive). It

may be cost-effective for your organization to purchase one example of the

consumer WLAN to broadband routers from the locally dominant vendors

(e.g. Linksys, SMC, Netgear, etc.) and have your IT staff create simple,

easily-understood corporate standard instructions as to how to do this, aswell as to offer residential WLAN phone support for inexperienced users.

All of these steps will help to reduce the home access point wireless LAN

vulnerability.


18/18


18

Summary

Wireless LANs are neither the inherently insecure demon that their

detractors depict, nor are they inherently secure enough to be implemented

in exactly the same way as conventional wireline LANs would be. But

because this technology is quickly gaining momentum from a consumer

acceptance perspective, it is imperative that your organization roll out its

WLAN(s) in a secure fashion.

Doing this may require only a few steps and types of security practice

and technology, or may require more, depending upon the nature of the

information being protected and the degree of security desired.And, its

important to note, some of the best practice steps you should use to

secure a wireless LAN are basically the same as would be the case for

a conventional network.Viewed in this context, the implementation of

a WLAN can be an ideal catalyst to improve the overall security of the

rest of your enterprise LAN or WAN.

The results will benefit users of both wireless and wireline infrastructures

and your organizations productivity will improve as well.

But start the process now, before your WLAN starts to broadcast things you

dont want the public to hear!

2003 VeriSign, Inc. All rights reserved.

VeriSign,the VeriSign logo, NetSure, and other trademarks, service marks, and logos are registered or unregistered trademarks of VeriSign and its

subsidiaries in the United States and other countries. All other trademarks belong to their respective owners. DS 037 0903

Copyright Soltrus,Inc., 2003. Limited permission is hereby granted to reproduce and distribute this document, provided that this notice of copyright

is included and that distribution is not for a commercial purpose.