Guideline for Securing Wireless LAN Deployment

Introduction

Wireless LAN (WLAN) is now widely deployed in Hong Kong. You can find hotspots in shopping centres, Internet cafes, hotels and Airport now. It is not surprised to see WLAN accessible along the street in the near future. Due to the flexibility in cabling and the low cost, home and corporate adoption of the technology is booming. WLAN, however, has its disadvantage in terms of security. If not properly deployed, it can bring about great security risks.

What is 802.11b and Wi-Fi?

Wireless LAN can be considered as an extension of the current LAN technology. Instead of using copper wired as the physical connection, high frequency radio wave is used to transmit signals. PCs equipped with a wireless LAN adapter can connect to each other in a network through the air. The most common WLAN standard is IEEE802.11b (also named Wi-Fi). It works on a bandwidth of maximum 11 Mbps on one of the 15 channels (in Hong Kong, use is limited to the first 11 channels) of the unlicensed 2.4GHz band. The negotiated bandwidth can fall back from 11 Mbps to 5.5 Mbps and 2 Mbps when the signal is weak or the environment is noisy. The signal-to-noise ratio can be improved by attaching an antenna to the AP or the client. WLAN uses a shared medium so you can expect collisions exist that lower the effective bandwidth.

There are two modes of communication: ad-hoc mode specifying the client-to-client communication and infrastructure mode specifying client-to-hub communication. In the infrastructure mode communication, the hub or the Access Point connects all clients up to form a wireless network. Each network has a Service Set Identifier (SSID) to differentiate itself from the others. By default the Access Point broadcasts the SSID periodically to let users to locate the network.

IEEE 802.11b includes an optional security feature called the Wired Equivalent Privacy (WEP) to encrypt the traffic between the client and the AP. The standard defines the 64-bit WEP key (with 40-bit secret key). Currently a stronger 128-bit WEP (with 104-bit secret key) is commonly available. The client and the AP must agree on a shared key before communication can be established.

Vulnerabilities and Risks of Wireless LAN

The greatest vulnerability of WLAN network is the lack of physical security. Unlike wired network, intruders do not need to enter your premise to connect to your wireless network and you have no good way of tracking who is connecting at any time.

The second security vulnerability comes from the default settings of the WLAN devices. The default settings are there for ease of deployment and compatibility. These settings allow non-technical users to connect and use WLAN without difficulty. Most users and companies do not change the default settings right after the deployment. Intruders can make use of these ¡§convenience¡¨ to connect your network as well. These are the well known default settings in a WLAN access point (AP):

No encryption (WEP) used or using a default encryption key

Default SSID (e.g. WaveLAN Network, default, wireless)

Default administrator name & password (and SNMP community string as well)

DHCP enabled by default, automatically assign IP address to all connected devices

The third vulnerability comes from the current WLAN technology 802.11b. Firstly the 802.11b incorporates no authentication mechanism and its encryption protocol, the Wired Equivalent Privacy (WEP) protocol has no automatic encryption key change mechanism. Besides, WEP is known to have a flaw that allows collection of enough packets to break the encryption.

The last vulnerability is the weakest link - human. Without a careful study of the risks associated with the current WLAN technology, some people are deploying WLAN for sensitive services. Some companies do not have control on their staff plugging in APs to their internal network, opening a backdoor to intruders and making the perimeter firewall and internet antivirus gateway useless.

The consequences of any intruder connecting to your WLAN network are:

Network resources (e.g. Internet bandwidth) being misused and productivity being affected.

Information leakage due to network sniffing by intruders outside your premise where you have no control of access.

Virus infection due to injected viruses by intruders.

Damage to confidentiality, integrity and availability when systems penetrated by intruders.

The damages might transform to financial, trust and reputation loss. You might have legal liability by allowing this to happen (e.g. violation of agreement of usage, and claim of loss when your network being used for hacking attack).

Wireless LAN Security Checklist

Here is a checklist to secure your WLAN deployment.

General Checklist to Home and Business Use of WLAN

1. Physical Security
   
   1. Do not put the WLAN Access Point (AP) close to window or door.
   2. Power-off when the access point not in use.


2. Encryption of communication
   
   1. Turn on WEP encryption. The 128-bit key WEP is preferred over the 64-bit key.
   2. To further improve the security over time, change the WEP periodically.
3. Securing SSID
   
   1. Change the default SSID to something else for your network.
   2. If possible, turn off SSID broadcast (some AP manager GUIs provide such function, sometimes called ¡§closed network¡¨). You need to tell individual users the SSID.
4. Controlling access to authorized WLAN card
   
   1. Turn on MAC Address filter to allow only authorized WLAN card to make connection. This is effective if the list of WLAN cards is manageable.
5. Controlling the IP network
   
   1. Disable DHCP service on the AP. Use static IP address on wireless LAN client. Client without valid IP address cannot connect.
6. SNMP configuration
   
   1. If your AP is configured using SNMP, make sure you change the default SNMP name and community string. Use a longer SNMP community string with mix of numerals and alphabets
   2. Enable SNMP access control list (ACL) to control who can configure the AP
   3. For security over time, change the SNMP community string periodically
7. Mobile Computing Security
   
   1. Most probably you are using WLAN with mobile devices. Make sure you observe other mobile security issues (e.g. theft of hardware, lack of protection from corporate antivirus gateway and firewall) and deploy appropriate protections.
8. Human Security
   
   1. Do not reveal your password, SSID, WEP key and other security configurations to the third party. When in doubt, change these settings.
9. Legal and Ethical Responsibility
   
   1. Unauthorized access of information system is a criminal offense. Do not try to connect to others¡¦ wireless networks and systems for curiosity, research or other intents. If you find out your neighbour¡¦s WLAN is insecure, please inform them to get it fixed. As a responsible person, please do not disclose this vulnerability with owner name and location to a third party.

Additional Checklist for Corporations

1. 1.use of technology: For very sensitive and serious services, you have to assess the risk of WLAN before taking it as an option. Put in your budget the extra cost of management and security strategies in WLAN security protection before deploying WLAN.
2. 2.Management Policy: Do not allow the staff to build their own access point. Carry out periodic check to audit if this policy is enforced.
3. 3.Perimeter Protection: Treat WLAN as untrusted network. Segment wireless traffic in a separate network. Install a properly configured firewall between the wired infrastructure and the wireless network to manage traffic going into the internal network or service network.
4. 4.Switched network connection:Connect APs to network switches (instead of hubs) to avoid communication sniffing.
5. 5.Stronger Encryption: WEP protocol has it flaw. Intruder can collect enough packets to break the encryption. It is advisable for corporation to deploy Virtual Private Network (VPN) technology on top of WEP to encrypt wireless communications.
6. 6.Authentication: Consider other forms of authentication for the wireless network (such as RADIUS and Kerberos which currently are available for some products.)
7. 7.Use Upgradeable Solution:WLAN technology is evolving quickly. When choosing a WLAN solution, ensure AP and wireless card can update the firmware. Keep WLAN devices firmware update periodically.

Next Step of Wireless LAN Security

Two of the major security issues of WLAN are the lack of authentication and the weakness in the WEP. Some proprietary WLAN implementations, like Cisco and Lucent, have included client authentication from the 802.1x standard that is used in traditional Ethernet network. Some go a step further to do mutual authentication of client and server by adopting PKI. The Temporal Key Integrity Protocol (TKIP), initially termed as WEP2, was attempted to strengthen the encryption by using dynamic WEP keys which changes every 10,000 packets. These security enhancements will be available in the coming WLAN standards.

Evaluation LAN Security

Threatened Networks

Inline and out-of-band LAN security appliances offer different levels of functionality. Understanding these differences is key to selecting the right product for your organisation, says Jeff Prince

The local-area network (LAN) has emerged as a security risk, subject to insider misuse, as well as external attacks. Threats can arise from a number of aspects including rogue hosts on wireless, guests plugging into open ports in a conference room, contractors or partners needing access to corporate resources and the continued movement of laptops between the corporate LAN and the Internet. At the same time, malware is escalating because attacks are easier to build, faster to spread and motivated by financial gain.

The IT department finds itself providing more points of access into the LAN without compromising systems and data. In response to these challenges, vendors have developed a variety of LAN security devices. Enterprises looking to secure their LANs will find these platforms readily available and easy to deploy within an existing network infrastructure.

LAN security devices fall into two broad classes - those that operate inline and those that operate out-of-band. Inline platforms are deployed between the wiring closet switch and the network core and are distributed throughout a network, close to users. They function as both a policy decision point and an enforcement device, because they sit in the stream of network traffic.

Out-of-band LAN security appliances are centrally located and typically connect to a switch in the core. They are not directly in the flow of traffic and therefore act as a policy decision point, with enforcement being delegated to other infrastructure devices, usually the wiring closet switch in the distribution layer.

Inline and out-of-band LAN security devices differ in terms of their interoperability with existing infrastructure, the security services they support, and the operational issues they pose.

A LAN security device must protect the LAN from both internal and external risks. To be effective, the platform should support key functions including network admission control (NAC), traffic visibility, post-admission control, and malware control.

NAC includes authentication and host posture check. It allows the IT department to verify that users are who they say they are and the machine they are using complies with corporate standards (for example, running an approved operating system with current patches and fixes and an updated anti-virus program). The best devices incorporate NAC that:

• Supports both active and passive authentication
• Influences existing identity stores for authentication
• Identifies a user’s role as part of authentication, which is essential for applying control policies to that user following admission to the network
• Provides ubiquitous host posture check that applies to all classes of users, including employees, contractors and visitors - without burdening IT
• Works with multiple host agents
• Supports hosts not under enterprise control

Traffic Visibility

Traffic visibility is a pre-requisite for access control and auditing, because devices cannot control what they cannot see. Look for the level of visibility granularity that will deliver the level of control your business needs. For granular control, a LAN security platform must:

• Tie all LAN traffic to the user and not simply to IP or MAC addresses
• Provide key user data, including login/logout time, applications run and resources reached
• Perform deep packet inspection on all flows and not just sampled traffic
• Retain statistics about all flows for regulatory compliance and accounting purposes
• Track security incidents, including those relating to host posture checks, policy violations, authentication failures and malware events
• Provide real-time and historical data
• Provide an aggregated view of the LAN's security health

In terms of traffic visibility, inline and out-of-band LAN security appliances offer significantly different capabilities. Inline devices have the capacity to see everything that goes by because they sit in the flow of traffic and out-of-band appliances have no visibility into ongoing LAN traffic.

Post-admission policies provide control over where users go and what resources they can access once they are admitted onto the network. For the most granular security, a LAN security platform should provide post-admission control functionality that:

• Ties all LAN activity back to specific users – this link enables the IT department to define rights and permissions, as well as control and enforcement actions, based on a user’s role in the organisation
• Supports universal access control – this architecture ensures the correct rights and permissions are applied to all users, regardless of the access method used, or location from which they attach to the LAN

Post-admission control capabilities of inline versus out-of-band security appliances vary greatly. If designed with comprehensive traffic visibility, an inline device can apply per-flow packet handling, allowing for granular control based on user, group, and application, even layer 7 content. Since enforcement is built in, the platform is able to inspect user traffic and apply controls at LAN speed.

Lacking traffic visibility, out-of-band appliances are limited in their access control capabilities. In addition, since out-of-band appliances are dependent on distribution switches for policy enforcement, they have limited enforcement control over user traffic.

Malware Control

Malware detection and blocking provides the IT department another tool for protecting the LAN. Worms, viruses, bots, spyware and other malware can wreak havoc with network availability. Comprehensive post-admission traffic visibility and control is required to contain malware. When evaluating a LAN security appliance for malware control, look for devices that:

• Granularly block bad traffic. For example, giving the IT department the flexibility to block all traffic from an infected user or just the infected application
• Recognise and contain ‘zero-hour’ attacks
• Operate close to the host to limit the spread of malware and minimise system and network damage

Inline LAN security platforms can scan for malware and therefore have the ability to continuously monitor traffic in real-time. Operating inline enables this class of device to respond quickly and directly apply enforcement actions.

Out-of-band appliances cannot perform malware control, as they have no traffic visibility once a user has been admitted onto the LAN.

It is important to evaluate a LAN security appliance for its potential impact on network and IT operations, specifically whether it impacts LAN performance, or the IT departments’ ability to troubleshoot the network.

Out-of-band LAN security appliances generally don’t affect LAN performance.

In contrast, inline devices must have high performance characteristics to keep up with LAN traffic at line speed and perform functions such as deep packet inspection and continuous real-time monitoring and enforcement.

Inline devices that rely on off-the-shelf processors will not be able to sustain gigabit speeds and are likely to negatively impact LAN performance.

In terms of troubleshooting, inline platforms have the advantage of being simpler to manage and troubleshoot than out-of-band devices, because they combine policy decision and enforcement functions in a single box. With out-of-band appliances, the IT department must determine which device, the LAN security appliance or switch, is the source of a problem.

In selecting a LAN security appliance, IT and security personnel need to consider the range of internal and external threats their LAN faces, along with the specific requirements of their organisation. Which appliance is best will depend on a number of factors, including the set of security services desired, the granularity of traffic visibility and control needed and where in the network IT prefers to implement their LAN security.

Organisations that want only admission control will find good options among both out-of-band and inline. Businesses that want to implement more post-admission controls should focus on inline devices, since out-of-band appliances are much more limited in these functions.

Regardless of architectural approach, the IT department needs to move quickly to protect against LAN security risks.

Wireless LAN Security Assessments Steps

After deploying a wireless LAN, you need to implement a security assessment, which ensures that the WLAN complies with effective security policies. For most situations, this is necessary whether or not the network implements effective security mechanisms. Don't put too much trust in the design of a system. It's best to run tests to be certain that the network is hardened enough to guard against unauthorized persons attacking company resources.

In fact companies should conduct regular, periodic security reviews to ensure that changes to the WLAN don't make the system vulnerable to hackers. A review once each year may suffice for low risk networks, but a review each quarter or more often may be necessary if the network supports high risk information (e.g., financial data, postal mail routing, manufacturing control functions, etc.).

When performing a wireless LAN security assessment, consider completing the following steps:

1. Review existing security policies. Before getting too far with the security assessment, become familiar with the policies that the company has regarding wireless LAN security. This provides a benchmark for determining whether or not a company is complying with their own policies. In addition, you'll be able to make an assessment and corresponding recommendations for policy modifications. Determine whether the policy leaves any room for a hacker (e.g., a disgruntled employee) to access or harm company resources. For example, the policy should describe adequate encryption and authentication mechanisms, keeping in mind that 802.11 WEP <DEFINE: WEP> is broken. Also, the policy should mandate that all employees coordinate with the company's information systems organization before purchasing or installing access points. It's very important that all access points have configuration settings that comply with the policies and provide the proper level of security. In addition, you need to ensure that methods are in place that disseminates security policies to employees in an effective manner.
2. Review the system architecture and configurations. Meet with information systems personnel and read through related documentation to gain an understanding of the system's architecture and configurations of access points. You'll need this to determine whether there are any design flaws that provide weaknesses that could allow a hacker inside the system. For example if static WEP is in use, then a hacker could utilize tools such as AirSnort to break through the encryption process. In addition, the dependence on 802.11 authentications alone will only verify the radio NIC and not the user, which could allow an unauthorized person to steal someone's wireless-equipped laptop and access the corporate network.
3. Review operational support tools and procedures. Some security weaknesses materialize when a company supports a WLAN. As a result, learn as much as possible about existing support tools and procedures to spot potential issues. Most companies, for example, configure the access points over the wired Ethernet backbone. With this process, the passwords sent to open a connection with a particular access points is sent in the clear (i.e., unencrypted) over the wired network. As a result, a hacker with monitoring equipment hooked to the Ethernet network can likely capture the passwords and reconfigure the access point.
4. Interview users. Be sure to talk with a sample of employees to determine whether they are aware of the security policies, at least to a level of security that they can control. For example, do the users know that they must coordinate the purchase and installation of wireless LAN components with the appropriate organization? Even thought the policy states this, don't count on everyone having knowledge of the policy. A new employee or someone who hasn't seen the policy may purchase an access point from a local office supply store and install it on the corporate network (without any security settings enabled) to provide wireless connectivity within their office. It's also a good idea to verify that people are using personal firewalls (or that they know they should).
5. Verify configurations of wireless devices. A portion of the security policy should define appropriate access point configurations that will offer an applicable level of security. As part of the assessment, walk through the facilities having access points and use tools such as AirMagnet or AiroPeek to capture the access point configurations. If the company has centralized support software (such as AirWave or CiscoWorks) in place, then you should be able to view the configuration settings from a single console attached to the wired side of the network. This is to determine which security mechanisms are actually in use and whether or not they comply with effective policies. For example, the policies may state that access points must disable the physical console port, but while testing you determine that most access points have the ports enabled. Of course this would indicate non-compliance with the policies, and it would enable a hacker to possibly reset the access point to factory default settings with no security enabled. In addition, look at the firmware version of each access point to see if it's up-to-date. Older firmware versions might not implement the more recent patches that fix encryption vulnerabilities.
6. Investigate physical installations of access points. As you walk through the facilities, investigate the installation of access points by noting their physical accessibility, antenna type and orientation, and radio wave propagation into portions of the facility that don't have physical security controls. The access points should be mounted in a position that would make it difficult for someone to go unnoticed and physically handle the access point. An access point simply placed on top of book shelf, for example, would make it easy for a hacker to swap the access point with an open one that doesn't have any security enabled. Or, the hacker could attach a laptop to the console port to reset the access point. If the access points are all mounted above the ceiling tiles and out of plain view, however, someone would need to use a ladder and would probably be noticed by an employee or security guard.
7. Identify rogue access points. A problem that's difficult to enforce and significantly undercuts the security of the wireless LAN is when an employee installs a "personal" access point in their office. Most of the time, these installations don't comply with security policies and result in an open, non-secure entry port to the corporate network. In fact, a hacker can utilize sniffing tools to alert them when such an opportunity exists. As a result, scan for these unauthorized access points as part of the assessment. Most companies will be surprised to learn how many they'll find. The most effective method for detecting rogue access points is to walk through the facilities with sniffing tools, such as AirMagnet or AiroPeek. In addition, the company should periodically scan the network for potential rogue access points from the wired side of the network.
8. Perform penetration tests. In addition to hunting for rogue access points, try going a step further and attempt to access corporate resources using tools common tools available to hackers. For instance, can you utilize AirSnort to crack through WEP? Is it possible to associate with an access point from outside the company's controlled perimeter? Of course if WEP is turned off, then your job will be easy. If strong encryption and authentication techniques are in use, then you'll likely not find a way in.
9. Analyze security gaps. The information you gather during the assessment provides a basis for understanding the security posture of a company or organization. After collecting information in the above steps, spend some time thinking about potential gaps in security. This includes issues with policy, network architecture, operational support, and other items that weaken security, such as presence of unauthorized access points and abilities to penetrate the network. This requires you to think like a hacker and uncover any and all methods that make it easier for someone to penetrate and access (or control) company resources through the wireless LAN.
10. Recommend improvements. As you spot weaknesses in the security of the wireless LAN, research and describe methods that will counter the issues. Start by recommending improvements to the policies, which dictate what the company requires in terms of security for the wireless LANs. This provides a basis for defining technical and procedural solutions that will strengthen the security of the system to a level that protects the company's interests.

With these steps in mind, you're on the right tract to performing a wireless LAN security assessment.