Securing Wireless Local Area Networks - White Paper

Securing Wireless Local Area Networks

Securing Wireless Local Area Networks A VeriSign/Soltrus White Paper

CONTENTS

Introduction 3

Why wireless? 3

Types of wireless networks 4

The “catch” is… 5

How we connected, before 5

How we (and the bad guys) connect now… without wires 6

It’s not safe at home, anymore 7

Ubiquitous… and anonymous 9

WEP: “Weaker than Ever Protection” 10

How to deploy secure WLANs 11

The details of implementing WLAN security 17

Summary 18


3

Introduction

If the 1980s was the “decade of the LAN” and the 1990s was the “decade ofthe Internet”, future historians may look back on the first decade of the21st Century as the “decade of Wireless Networking”.

Although wireless LANs (“WLANs”, for short) are proliferating rapidly,nowadays, this technology is scarcely ever discussed without mention ofsecurity concerns. If your organization is planning to deploy a WLAN – or has already done so – you should know the facts surrounding wirelessnetworks so you can use your WLAN in a secure manner.

This document will give a brief description of what wireless LANs are,how the security concerns with them compare with those of conventionalcomputer networks and will detail some practical steps your organizationcan use to deploy fully trustworthy WLANs. It is aimed at readers withsome prior knowledge of computer networking concepts, but anyone interested in wireless networking security will benefit by reading this White Paper.

Why wireless?

The cost-effectiveness and flexibility of the wireless LANs of the 21stCentury, as an alternative to traditional wired networks, are ideal for mobileworkers.They allow access to real-time information and corporate resourcesalmost anywhere a mobile worker may be located, and with the growingpopularity of wireless “hotspots”, mobile workers can now connect to theInternet at airports, hotels, restaurants, and other public places.Within thelast few years, access speeds for WLANs have started to approach thoseavailable for conventional wireline networks, making use of wireless networking practical for mainstream business and consumer purposes.

The benefits of wireless networks don’t end outside the office, because withwireless networking, "the air around us is the cable". Even within modernenterprise offices, workstation mobility, for example using a laptop PC in a meeting room or changing a PC’s location due to organizational changes,is a fact of life. For those who need the flexibility to relocate a workstation,WLANs negate the need for frequent physical wiring changes.This is notjust a convenience issue, as cabling changes can amount to a significant burden on already-stressed MIS and IT department resources, on top of the costs of the cables themselves.

The result? Increased productivity as well as a more positive end-user experience.

Types of wireless networks

Technically, a “wireless network” is any collection of end-points that can (atleast) receive, and (usually in an IT context) send, a signal or informationfrom or to a broadcast access point, without using wires.Viewed in this way,your television set would qualify as a wireless network end-point, but forthe purposes of this White Paper, we will confine the context of the discussion to computer-related wireless networks only.

There are many types of wireless computer networking technologies,including:

• RFID (Radio-Frequency IDentification) systems (there are many sub-varietiesof this technology class, mostly used for short-range industrial applications suchas warehouse stock movement tracking, typically with very small, fixed datasetssuch as a SKU number, and so on)

• Infrared/IRDA (line-of-sight low power optical networking)• HomeRF (an older wireless PC networking standard that is rapidly

disappearing)• Bluetooth (and potential 802.15 IEEE standard to follow from it, low data rate

wireless networking mostly for connecting peripherals such as printers, PDAsetc., but rarely used for LAN client purposes)

• 1x RTT, 3G and 2.5G cellular technologies (used by telcos for metered,relatively location-insensitive, low-speed access to the Internet, up to about 40-60 kilobits per second or roughly slightly faster than a 56K dial-up modem)

• WiFi (IEEE 802.11a, b, g and many other versions; the current standard for relatively high-bandwidth wireless PC networking today, theoretically up tospeeds of 54 megabits per second but usually more in the 20 mb./sec. range)

Of all of the above technologies, the last two – the various telco cellularnetwork connectivity systems and 802.11x* WiFi – are by far the mostimportant for the purposes of this White Paper, because these systems are both commonly used for remote LAN access today and are likely tocontinue to be so used in the future.

We will concentrate particularly on 802.11x systems, since wireless connectivity via the 1x RTT networks of the major telephone carriers hasbetter inherent resistance to intrusion due to the way in which access isadministered (although, it is still theoretically vulnerable to compromise).* Note:We will use the acronym "802.11X" (large "x") generically to describe the gamut of 802.11a, 802.11b,802.11g, etc. sub-varieties, henceforth in this document.This should not be confused with the "802.1.x" RADIUS-based authentication system, which is also referenced below.


4


5

The “catch” is…

Like many things in life, there is both good and bad in the location-independentaccess capabilities that wireless networking enables.

Although issues of data speed (usually somewhat less than for conventional wire-line LANs) and reliability (for example, one’s 2.4 GHz wireless phone ringsand disrupts an 802.11 LAN session) can come into play, for WLANs the mostimportant question mark concerns security.

To understand the security risks that are inherent in wireless networking, we haveto briefly review the history of networking itself as well as the security mechanismsthat evolved at each stage of this evolution.

How we connected, before

Traditionally, access to networked resources has been inextricably linked to a physical connection to a network cable (usually, a blue 10BaseT UTP Ethernetcable) of one sort or another.There has, up to now, simply been no other practicalway to connect one’s own PC (or other device) to other computers.

In the 1980s, the computers that were connected in this way were mostly deployedin small groups (“workgroup LANs”), and, in the relatively rare cases where largenumbers of computers were networked together, it was usually in the context of asingle-organization enterprise LAN where all of the endpoints were, ultimately,controlled by the same company or public sector department. Nobody was allowedto connect to the enterprise LAN unless he or she worked for the enterprise.

Security issues were mostly limited to problems with disgruntled employees,although near the end of the 1980s, dial-up remote access to enterprise LANs created a need for basic authentication functions.The security mechanism usedduring this period was mostly basic passwords, sometimes with enhancements suchas forced password length or periodic forced password changes.

In the 1990s, the advent of the Internet changed this paradigm. For the first time, enterprise networks were interconnected with, and therefore exposed to,computers owned by entities that enterprises might have no knowledge about,much less administrative control over.While the Internet, as the world’s ultimateheterogeneous network, brought about a tremendous increase in convenience,functionality and accessibility to information, this same connectivity also introducedthe wide range of security issues – ranging from unauthorized access to viruses toInternet fraud – that most IT directors are now all too familiar with.


6

However, even in the late 1990s, enterprise IT security personnel had at least oneline of defense to fall back on. Intruders generally had only one convenient avenueof access to internal enterprise LANs – that is, through whatever part of the enterprise network infrastructure (usually, a high bandwidth cable such as a T-1 orleased line) connected to the organization’s ISP (Internet Service Provider) andtherefore to the Internet as a whole. One could envision this as an office towerwith only one huge door at the front; to get inside, an intruder would have to getpast the security system (e.g., a firewall, which was the defining security system ofthe early Internet era) posted at this door.

While malicious attempts at unauthorized access or other inappropriate use ofresources (for example attempts to find unsecured OS services on open IP ports,or denial of service attacks) through this entry point can and do occur, at least it is only one entry point to guard; there is little chance of an intruder physicallyfinding his or her way inside (say) the headquarters of a bank and then attaching hisor her PC to the enterprise LAN via a 10BaseT network cable connected to alocal Ethernet hub or router. (Presumably, were such an event to occur, other officeworkers would detect the presence of the intruder before any real damage were tobe done, perhaps from the trail of empty Pizza boxes and soft drink cans or the“Kaos Komputer Klub Rulez!”T-Shirt… )

How we (and the bad guys) connect now… without wires

Wireless networking changes all this. For the first time, an intruder does not haveto have any physical access at all, in order to at least attempt to “plug in” to thesame enterprise connectivity access points that legitimate users do – it is perfectlypossible for an intruder to sit in the lobby of an office building, set his or her wireless client (or hacking) software to search for local wireless access points, findone and attempt to connect.

A good way to imagine this is, think of an 802.11 wireless access point as anEthernet hub with a million ethereal 10BaseT cables connected to it, free for theconnecting by anyone within a 50 to 300 meter radius.

Improperly secured WLAN access points may have been intentionally, but incorrectly, installed by an enterprise’s IT staff. However, nowadays’ increasingly low prices of consumer-level wireless networking equipment have lead to theattachment of “rogue” (unsanctioned) WLAN access points to enterprise networks,in other words, end user-installed, unsecured WLAN access points that the organization’s MIS and/or security staff may not even know exist.

While rogue Ethernet hubs, etc., have historically been a fact of life for large corporations and public sector departments, unlike the case with a conventionalLAN connection device, using wireless technology an unsanctioned access pointcan be accessed by someone completely outside the physical premises of the organization.


7

If an intruder is successful in finding and connecting to an inadequatelysecured wireless access point (wandering a neighbourhood looking for openWLAN access points is called “war driving”, in hacker slang), he or shenow has exactly the same ability to access internal enterprise resources, forexample servers or the data on them, that a legitimate office worker wouldhave.And since, by definition, an internal LAN is “behind the firewall”,Internet barrier security mechanisms such as firewalls, bastion servers, orproxy servers will be mostly ineffective against such intrusions.Attacksagainst external targets launched with this type of inappropriate access will appear to come from the organization that owns the conventional,Internet-attached LAN… because, of course, they do come completelyfrom within the organization’s own TCP/IP address range.

Taken together, all of these factors amount to a difference of kind, not justdegree, in the types of intrusion threats that modern IT security managersmust cope with in the WLAN era.

It’s not safe at home, anymore

Another likely attack against inadequately secured wireless access points isequally troublesome, but is much less well understood.

In the early days of wireless networking,WLAN hardware – that is, wirelessaccess hubs, routers and network interface cards – was expensive and com-plex to install and configure.Additionally, standards were poorly defined, so(for example) it was necessary to use the same vendor’s wireless NICs withthat vendor’s access points; without doing so, chances of connectivity werepoor.Thus, in most cases,WLANs were deployed only by experienced ITstaff, within the relatively controlled contexts of enterprise (business) LANs.

However, in the last two to three years, affordability and user-friendlinessfor this technology have migrated down to the consumer level. It is nowperfectly possible for even an uneducated computer user to connect his orher wireless access point to a broadband Internet (DSL or cable) modem,insert a wireless LAN adapter (even that of a different vendor) into a laptopand, with little or no extra configuration required, start happily surfing theInternet without any physical cable between the client PC and the accesspoint.

For most consumers, the convenience that this auto-configuration providesis what makes the WLAN infrastructure attractive in the first place. Mostcasual home networking users have little or no understanding of IT securityconcepts, much less any interest in implementing what are, to them,complex and unnecessary configuration steps that add nothing to theircomputer use experience


8

Unfortunately, hackers and other intruders are only too aware of the manyvulnerabilities – for example, default SSID (“Service Set Identifier”, thestring that identifies a wireless access point to wireless clients) identifiers(the default SSID for a NetGear 802.11 WLAN router is,“NETGEAR”),or weaknesses in WEP encryption standards – created by the “plug-and-play” philosophy of consumer-level wireless networking equipment.Againstan even moderately experienced hacker, most residential wireless networksare very vulnerable to unauthorized intrusion and access.This exposure ismade worse by the fact that enterprise IT administrators have little or no control over how residential WLAN equipment is installed and / orconfigured, assuming that they even know that it has been deployed.

If society had maintained the work patterns of the 1980s or even early1990s, the possibility of compromises against home-based WLANs wouldstill be a problem, because the consequences of unauthorized access – forexample, stealing credit card numbers or passwords to personal bankaccounts, denial of service or inappropriate use attacks such as “hiddenpornography sharing” launched from someone else’s broadband entry point,etc. – could be serious for the victimized individual or family.

But in the early 21st Century, work patterns have changed and “workingfrom home” is a familiar concept, even for senior private and public sectormanagers who must have constant access to sensitive internal information.

Thus, looking at the situation from the perspective of a potential intruder,the easiest way to compromise an enterprise LAN may not involve attacking its center point (e.g., the organization’s business offices) at all.Rather, an intelligent intruder might use a social engineering attack (or,perhaps, simply use a phone book) to find out where a senior managerlives, park an automobile discreetly somewhere near by, set up his computerto search for an inadequately secured wireless access point installed at themanager’s house and then attack this access point.

The risks of this type of compromise are severe for several reasons.Themost obvious of these is simple unauthorized access to corporate passwordsand potentially confidential business information, but there are more subtlerisks as well. For example, a compromised residential wireless access point isan ideal and (for the intruder) anonymous entry point for introduction ofan Internet virus,“spam” e-mail or denial of service attack, with the haplesslegitimate owner of the endpoint being blamed if such attacks are evertraced.

Furthermore, even if sensitive corporate information within central ITresources (for example a head office file server) is protected by a secondarydata security mechanism such as file encryption, most home-based PCs –which could be directly attacked via a compromised WLAN – do not havethis kind of protection, even if they are used for convenience purposes tostore confidential information.


9

For example, the peer-to-peer networking features of Microsoft’s WindowsXP Home OS, by default, do not provide even password-based protection for shared directories; an intruder on a compromised WLAN would havewide open access to a shared “My Documents” folder, in this scenario.(Such a location would be a perfect place for an attacker to locate a virus,a distributed denial-of-service “zombie” program, a password harvester orother OS-level compromise.)

And home-based computers may be used by children or other individualswith little or no security awareness, leading to a raft of potential compromisessuch as “spyware”, keyloggers, viruses or other client-based vulnerabilities.

Clearly, the problem of inadequately secured residential WLANs is one thatenterprise IT security staff need to take seriously and address immediately.

Ubiquitous… and anonymous

A secondary issue associated with WLANs, especially 802.11x-based WiFinetworks, is that this type of infrastructure can provide the ultimate inanonymous Internet access, especially when provisioned via wireless accesspoints that are available for free use by the public. (This type of deploymentis becoming an increasingly common value differentiator for some types ofbusinesses, for example coffee shops, restaurants, airlines and so on.)

Unlike the past – where, at some point, it was necessary for some identifiableentity to pay for an Internet Service Provider account and, usually, a phoneor cable connection, to get access to the Internet – public access WLANfacilities for the first time allow a user with nothing more than a laptop computer and a wireless LAN card to access the Internet. In other words, however tenuous this concept may have been during the days of conventional, wireline Internet access (as, it has always been possible tofake an identity), public WLAN access now makes the concept of identifyinga network attacker nearly impossible, especially in real time.

While anonymity has many legitimate functions, viewed in the WLAN context, enterprise IT administrators now have to contend with unidentifi-able attackers who can (for example) use a public WLAN access point forhowever brief an interval it takes to launch a denial-of-service attack,“spam”e-mail flood, intrusion attempt or other inappropriate use session, afterwardsimmediately disconnect and never thereafter have any other association withthe TCP/IP address or access point from which these malicious activitiestook place.

In some ways, this may be more of an exposure for the provider of the publicWLAN access infrastructure than it would be for the directly aggrieved party, since if such an attack is traceable at all, the path would lead back tothe public WLAN access point from which the attack was launched. Buteither way, it is a new issue that must be considered in protecting enterpriseLANs from external attacks.


10

WEP: “Weaker than Ever Protection”

When WiFi (802.11x) wireless LANs were first invented, the creators of the 802.11x protocols were not totally ignorant of the unauthorized use risk posed by unsecured wireless access points.To provide a measure of security against these risks, they invented “Wired Equivalent Privacy”(commonly referred to as,“WEP”), a low-level data encryption systemdesigned especially for wireless security purposes.

Basically,WEP provides wireless data traffic confidentiality via encryption of MAC (Media Access Control, in OSI reference model tech-speak)-leveldata streams.Theoretically, a properly implemented WEP-enabled accesspoint can deny access to any wireless client that does not have a sharedauthentication key, and once a client has thus been correctly authenticated,it can encrypt the client/access point data stream in near real-time so thatattempts to remotely “sniff ” the contents of TCP/IP packets are futile.

Unfortunately,WEP has many known vulnerabilities.Among these are:

• Problems with key generation (at the time WEP was created, the U.S.government had made the export of encryption keys longer than 40 bits illegal on the grounds that they were “weapons of mass destruction”, althoughlater implementations of WEP have longer keys) and distribution;

• Weak IVs (“Initialization Vectors”), which make key cracking inappropriatelyeasy (even for the 128-bit and larger WEP key implementations);

• A too-predictable CRC-32 packet integrity check algorithm;• A wide range of freely available “hacker” tools to break WEP encryption itself;• Many of the wireless access points (for example consumer market wireless /

broadband Internet routers) which do implement WEP, do not provide themanagement tools needed to enable good security practices such as frequentkey changes.

Taken as a whole, these issues amount to the fact that whatever the initialclaims made of it,WEP encryption alone cannot be relied upon to providesecurity for wireless 802.11x networks.

A successor to WEP, called “WPA” (“Wi-Fi Protected Access”), which willresolve many of the known vulnerabilities in WEP, is currently in the finalstages of definition by the IETF and will probably become available withinthe late 2003 to mid-2004 time scale.While, obviously, transitioning to thenew WPA standard will be desirable in the long run, for the time beingWEP will remain the best available confidentiality tool for WLAN datastreams, so IT security managers will have to plan their strategy to take itsvulnerabilities into account.


11

How to deploy secure WLANs

The following section gives some practical steps on how to secure yourWLAN.

Do a threat/risk analysis (TRA): Review your organization’s real business andtechnical security requirements, so you know what resources are most likelyto be attacked, as well as what the consequences would be if each data element or resource were compromised.

Without undertaking this crucial step, it is impossible to properly secureyour enterprise LAN, since you may be over-securing low-sensitivityresources while under-securing resources that are critical to your business.

As an example of this, if your enterprise LAN contains a mixture of low-bandwidth 1x RTT (cellular) and 802.11x-connected PCs, your available IT security manpower cycles may be better spent on the latterrather than the former (cellular networks have a degree of authenticationsecurity built in at the billing account level, and in any case, their meteredcosts and relatively low bandwidth gives mobile users an incentive torestrict use of the resource, thereby mitigating the risk of data compromise).

Architect a secure wireless solution: Design an appropriate, secure wirelessscheme that meets your users’ needs.A system which leaves important functions – for example, the ability to access home-based wireless networks– completely unaddressed, will likely be bypassed by end users… resultingin no security at all.

Also, the word “architect”, as used in this context, is a verb; your IT staff should spend the time to draft a valid WLAN architecture for your enterprise, not leave this function to ad hoc infrastructure growthengineered by end users. (If end users have no official WLAN architectureto adhere to, they will adhere to whatever is most convenient for them at the time.)

Roaming: Propose an effective roaming solution that extends the networkbeyond the office.

The point here is to realize that wireless LAN access – particularly, wireless802.11x-related infrastructure deployed in residential or airport “hotspot”contexts – is here to stay; attempts to prohibit it, or to ignore it and hopethe problem goes away (it won’t), are likely to be futile.

If your IT staff is able to get out in front of the curve and propose a wireless roaming system that will enhance end user convenience, thechances are much greater that you will get the co-operation of end userswhen the time comes to implement strong security.


12

Use WEP… but don’t expect miracles of it: Wired Equivalent Privacy (or WEP)authentication and encryption is not perfect, but using it is far preferable tohaving no wireless encryption protection at all. So enable it for all theaccess points that support it.

Think of the analogy with the lock you use to secure the front door ofyour house, or the lock on your car door. Both of these can certainly bedefeated, and this happens every day across the country; but the mere presence of a lock is known to deter thieves, who for the most part wouldprefer to attack targets that are less well defended.WEP can work in exactlythe same way for wireless LANs, encouraging attackers to go after someoneelse’s network.

Furthermore, it should be noted that although it is indeed possible to breakor circumvent WEP-based wireless security, doing so is – particularly for its128-bit and longer versions – a much less straightforward task than somealarmist media stories would have one believe.

There are many reasons why this is the case, but as an example, most WEP-hacking programs currently (July 2003) available run only over various versions of the Linux, OpenBSD or other non-Windows operatingsystems; thus, to use most of these, an intruder must acquire and install acompletely new operating system on his or her computer. (And, possibly,recompile the hacking program from C++ source code, itself a non-trivialtask.) Then, the intruder must have at least some understanding both oflow-level TCP/IP data concepts and of encryption concepts, must haveboth the time (possibly as much as a day per attempt) and the circumstances(e.g. a car or van to park discreetly while attempting to break a WLAN-secured access point) and, finally, the disposition (in particular, a good dealof patience) to carry the intrusion attempts through to fruition.

Impossible? No, but definitely a task that would deter many casual intruderswho are just “nosy”. But by not using WEP, you are making the task ofintrusion immensely easier, just as you would be by not placing a lock of any kind on your home’s front door.

So,WEP has a place to play in securing WLAN systems; just do not makethe mistake of making it your only 802.11x security technology.

As a side-note, wherever possible, your organization should invest in WLAN access devices (e.g. access points, routers and network cards) thateither implement, or can conveniently be upgraded to implement, theemerging WPA wireless security standard.While WPA is currently (July2003) still a “work in progress”, it will eventually succeed WEP and solvemany of WEP’s known vulnerabilities. Planning ahead to implement WPA will eventually make the task of securing 802.11x-based WLANsconsiderably easier.


13

Authentication is the key:The most significant vulnerability of wirelessLANs is the fact that, at the physical level, by definition they enable accessto anyone, authorized or not, within a WLAN access point’s radius of usefulsignal strength. (As noted above, this is in contrast to the situation with a conventional LAN, where a user must have physical access to buildingfacilities to plug in to a 10BaseT UTP Ethernet cable.)

Thus, systems that ensure that only authorized users are allowed to get a physical level connection at all to WLAN access points, are a critical function of wireless LAN security policy (although, they are not, by themselves, everything you need to secure a WLAN). Providing robustauthentication security for use of wireless access points will instantly stop80% of intrusion attacks.

End-run WEP problems with RADIUS:An excellent, industrial-strengthsolution to the WLAN authentication issues is an authentication infrastructure that implements a RADIUS client/server architecture.

RADIUS, an IETF standard security management protocol first used fordial-up access to Internet Service Provider modem pools, enables controlover which users can connect to your network, and over what resourcesthey can access.Wireless-optimized extensions to RADIUS can enablewireless users to be strongly authenticated at access points using X.509 digital certificates.

There are currently two “flavors” of such RADIUS extensions that youshould consider:

• EAP-TLS (Extensible Authentication Protocol -Transport Layer Security):This is the security method used in the 802.1X client for Windows XP; it usesclient- and server-side certificates to perform authentication; dynamically generated user- and session- based keys are distributed to secure the connection.

• PEAP (Protected Extensible Authentication Protocol): Protected EAP is an extension of EAP-TLS which provides certificate-based mutual authenticationof the client and network. Unlike EAP-TLS, PEAP requires only server-sidecertificates, eliminating the need to configure certificates for each WLANclient.

The certificate-based client / server approach has many advantages. Forexample, administrators can enforce policies on user sessions, to specify thelength of an encryption key and the time interval for its auto-renegotiation,and so on. Collectively, these features can negate most of WEP’s known vulnerabilities and exponentially increase the complexity and difficulty ofintrusion attempts.

Note that some configurations may require a specialized, RADIUS-compatible client on each PC that will access the secure wireless LANinfrastructure; so, in planning a network of this type, you should make some allowance for remote roll-out, installation and provisioning issues.


14

Install, configure and test: Build and configure WLAN authenticationservers using best security practices. Install, configure and test hardware and software.

In particular, don’t assume that security equipment and software actuallydoes what it claims to do – oversights such as a certain type of wirelessrouter returning the administrator password in cleartext, when a certainSNMP call is made to it, or storing sensitive WLAN configuration and authentication data in a client PC’s Windows Registry in completelyunencrypted format, are uncommon but are definitely there, and the hackers all know about them.

Either have your own IT department, or (better yet), hire a third party toattempt to break or bypass whatever WLAN security features you haveimplemented.You may be surprised what you find out about the equipmentthat you thought was “bullet-proof”.

The problem (partly) starts at home:As noted above, from the perspective of an attacker, unsecured, home-based WLAN access points may be considerably more attractive targets than would be the likely better-protected assets at an enterprise’s business offices.

There may be little that your organization can (or should) do to prevent orrestrict the ways in which employees use their own computers at home. Butthere are ways in which you can mitigate this risk, from both wireless andconventional remote access perspectives.

• Require, or at least make available, more sophisticated, multi-factor methods of user authentication than just usernames and passwords (which are too easily compromised by basic hacking techniques such as keyloggers, IP packetsniffing, etc.) for access either to employee home computers or corporateresources.Among the advanced authentication methods available today areX.509 digital certificates, USB keys, smart cards and biometrics.

Use of any one or combination of these systems will make the task of anintruder significantly more difficult, because simple interception of a passwordvia a compromised residential WLAN will no longer be sufficient to enablesubsequent compromise of the enterprise LAN as a whole.

• If possible, implement a VPN (Virtual Private Network) system to secure thedatastream between remote/home-based client PCs and central enterprise dataresources. Properly-configured VPNs, particularly if combined with moresophisticated methods of multi-factor user authentication, can provide goodprotection for corporate resources, even if a residential WLAN access point isitself compromised to give an intruder access.There are two main types ofVPNs: IPSec systems, which require installation and of client software, and thenewer SSL VPNs, which are entirely browser-based, making provisioning androll-out significantly easier (as well as more secure).


15

• Provide, or encourage the use of, tools for good security practices on homecomputers.Among these are software firewalls, anti-virus software and anti-spyware software. Using such tools will make your entire enterprise networkmore secure, in addition to complicating the task of a wireless intruder whowants to hijack a vulnerable home computer as an entry point for activitiessuch as a denial-of-service or virus injection attack.

• Provide at least some security-related education for all employees, but particularly those who may be using, or considering using, wireless networkingat home.An example of the types of advice you could give in such trainingwould be,“every so often, have a quick look at your wireless router and cable(or ADSL) modem; if your PC is turned off, but there is a lot of constant data traffic on the router and the modem, this might indicate an unauthorizedconnection – contact your Security department”.The more educated yourhome users are, the better able they will be to recognize intrusions at an earlystage.

Attackers may want your bandwidth, not your data: Not all attacks againstenterprise WLANs may involve the usual security threats such as data interception or password compromises.

For example, attackers may want access to your organization’s infrastructurefor more mundane but still inappropriate purposes, for example trading illegally copied media items (songs and movies) or software, creating alaunching point for mass “spam” mail blasts, storing pornography or simplyfree Web surfing.

While these types of attacks did exist prior to the inception of WLANs,they are a far more attractive proposition nowadays because an wirelessintruder may not have to bypass a firewall.You should consider, and protectagainst, this risk in designing your organization’s WLAN strategy.

Manage and support: Review your WLAN support options to meet the needs of your internal customers.Adjust these options to take into accountchanging needs, especially at the residential and home networking levels.

The easier that it is for users to access your support resources to get answersto security-related concerns, the more likely it will be that your users willadhere to whatever wireless security policy your organization has decidedupon.


16

The details of implementing WLAN security

To protect your wireless LAN network from attack, the following best practices are recommended:

1. Educate employees about WLAN risks, especially about how to recognize anintrusion or suspicious behavior. Security-aware end users are perhaps yourbest line of defence against intrusion.

2. Prohibit or restrict unauthorized attachment of wireless access points (rogueaccess points).

3. Employ a third party managed security services company to constantly monitor your network security infrastructure for signs of an attack or unauthorized use.

4. Deploy strong authentication (X.509 digital certificate, USB token, smart cardand/or biometric) for all of your IT resources, wireless and wireline alike.Doing so will tremendously complicate the task of wireless “snoopers”,because interception and possession of a compromised password will nolonger allow them to access protected resources and data sets.

5. Prohibit or restrict use of 802.11x WLAN cards in ad hoc mode, especiallywhen in public areas or any building with perimeter less than the WLANbroadcast range.

6. Ask users to connect only to known access points; masquerading access pointsare more likely in unregulated public spaces.

7. Deploy personal firewalls, anti-virus software and spyware blockers on all corporate PCs, particularly laptops and computers using the Windows operating system. Use corporate network security policy to enforce the continuous use of these assets and train employees to recognize when a problem is detected.

8. Actively and regularly scan for rogue access points and vulnerabilities on thecorporate network, using available WLAN management tools.

9. Change default management passwords and, where possible, administratoraccount names, on WLAN access points.Also, make sure to disable or secureother potential “leak-points” of confidential configuration data – for exampleTelnet access or auto-responses to SNMP queries, etc. – that might be ofvalue to a hacker trying to glean information about your network from awireless access point.

10. Change the default SSID on all access points, and allow the access points tobroadcast their SSIDs.This enables users to easily identify the access point towhich they are connecting and only present the necessary credentials. It maybe a good idea to make the SSID of an access point something that misleadsattackers about the value of the data behind it; for example, an access point ina bank could be named “COFFEESHOP” instead of “BANKSECRETS”.

11. Turn on and use encryption (128-bit TKIP or higher WEP if your equipment supports it).TKIP provides protection against the drive-by snooper or unintentional visitor, but it should always be used with othermeasures in a corporate environment.


17

12. Use strong security for other data resources such as laptop or desktop datafiles and e-mail messages and attachments. (For example, desktop encryptionsolutions can range all the way from simple Windows-based EFS encryptionto more advanced, flexible and platform-independent third party solutions,while X.509 digital certificates offer a very cost-effective way of securing e-mail.) The reason, again, is to create a layered security system, so that an intruder who somehow manages to defeat your organization’s WLANsecurity still has additional barriers to cross to do real damage.

13.When deploying 802.1X infrastructure to implement dynamic encryptionkeys (for example with a RADIUS-based authentication system), configurethe session key update for at least once per hour to minimize the chance ofkey repetition.

14. Make sure that your RADIUS server has a valid server certificate for network authentication to all valid users and devices.

15.Avoid placing access points against exterior walls or windows.

16. Reduce the broadcast strength of WLAN access points, when possible,to keep it within the necessary area of coverage only.Avoid coverage of unintended areas such as parking lots.

17.When planning network design, use 802.1X-based port authentication for wired switches and hubs to inhibit future addition of unauthorized,user-attached access points.

18.Ask employees with home WLAN access points to change the authenticationand confidentiality keys of their broadband routers, etc., at least once permonth (once per week if your organization is very security-sensitive). It may be cost-effective for your organization to purchase one example of theconsumer WLAN to broadband routers from the locally dominant vendors(e.g. Linksys, SMC, Netgear, etc.) and have your IT staff create simple,easily-understood corporate standard instructions as to how to do this, as well as to offer residential WLAN phone support for inexperienced users.All of these steps will help to reduce the “home access point” wireless LANvulnerability.


18

Summary

Wireless LANs are neither the inherently insecure demon that their detractors depict, nor are they inherently secure enough to be implementedin exactly the same way as conventional wireline LANs would be. Butbecause this technology is quickly gaining momentum from a consumeracceptance perspective, it is imperative that your organization roll out itsWLAN(s) in a secure fashion.

Doing this may require only a few steps and types of security practice and technology, or may require more, depending upon the nature of theinformation being protected and the degree of security desired.And, it’simportant to note, some of the best practice steps you should use to secure a wireless LAN are basically the same as would be the case for a conventional network.Viewed in this context, the implementation of a WLAN can be an ideal catalyst to improve the overall security of the rest of your enterprise LAN or WAN.

The results will benefit users of both wireless and wireline infrastructures…and your organization’s productivity will improve as well.

But start the process now, before your WLAN starts to broadcast things youdon’t want the public to hear!

©2003 VeriSign, Inc. All rights reserved.VeriSign, the VeriSign logo, NetSure, and other trademarks, service marks, and logos are registered or unregistered trademarks of VeriSign and its subsidiaries in the United States and other countries. All other trademarks belong to their respective owners. DS 037 0903

Copyright © Soltrus, Inc., 2003. Limited permission is hereby granted to reproduce and distribute this document, provided that this notice of copyrightis included and that distribution is not for a commercial purpose.