ST18-247: Securing Enterprise Wireless Networks

["US-CERT" <US-CERT () ncas us-cert gov>]

U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:



ST18-247: Securing Enterprise Wireless Networks [ https://www.us-cert.gov/ncas/tips/ST18-247 ] 09/04/2018 10:14 AM EDT 
Original release date: September 04, 2018

In June 2018, the Wi-Fi Alliance began certifying devices that support Wi-Fi Protected Access 3 (WPA3), which replaces 
WPA2. Users should employ the new standards as WPA3 devices become available. 

What is enterprise network security?

Enterprise network security is the protection of a network that connects systems, mainframes, and deviceslike 
smartphones and tabletswithin an enterprise. Companies, universities, governments, and other entities use enterprise 
networks to help connect their users to information and people. As networks grow in size and complexity, security 
concerns also increase.

What security threats do enterprise wireless networks face?

Unlike wired networks, which have robust security toolssuch as firewalls, intrusion prevention systems, content 
filters, and antivirus and anti-malware detection programswireless networks (also called Wi-Fi) provide wireless access 
points that can be susceptible to infiltration. Because they may lack the same protections as wired networks, wireless 
networks and devices can fall victim to a variety of attacks designed to gain access to an enterprise network. An 
attacker could gain access to an organizations network through a wireless access point to conduct malicious 
activitiesincluding packet sniffing, creating rouge access points, password theft, and man-in-the-middle attacks. These 
attacks could hinder network connectivity, slow processes, or even crash the organizations system. (See Securing 
Wireless Networks [ https://www.us-cert.gov/ncas/tips/ST05-003 ] for more information on threats to wireless networks.)

How can you minimize the risks to enterprise Wi-Fi networks?

Network security protocols have advanced to offset the constant evolution of attacks. Wi-Fi Protected Access 2 (WPA2) 
incorporates Advanced Encryption Standard (AES) and is the standard employed today to secure wireless enterprises. In 
June 2018, the Wi-Fi Alliance began certifying devices that support Wi-Fi Protected Access 3 (WPA3), which replaces 
WPA2. Users should employ the new standards as WPA3 devices become available. IT security professionals and network 
administrators should also consider these additional best practices to help safeguard their enterprise Wi-Fi networks:


  * Deploy a wireless intrusion detection system (WIDS) and a wireless intrusion prevention system (WIPS) on every 
network. 
  * Ensure existing equipment is free from known vulnerabilities by updating all software in accordance with developer 
service pack issuance. 
  * Use existing equipment that can be securely configured. 
  * Ensure all equipment meets Federal Information Processing Standards (FIPS) 140-2  [ 
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf ]compliance for encryption. 
  * Ensure compliance with the most current National Institute of Standards and Technology. (See Establishing Wireless 
Robust Security Networks: A Guide to IEEE 802.11i [ 
https://www.nist.gov/publications/establishing-wireless-robust-security-networks-guide-ieee-80211i ].) 
  * Establish multifactor authentication for access to your network. If this is not possible, consider other secure 
authentication means beyond a single shared password, such as Active Directory service authentication or an alternative 
method (e.g., tokens) to create multifactor authentication into your network. 
  * Use Extensible Authentication Protocol-Transport Layer Security certificate-based methods (or better) to secure the 
entire authentication transaction and communication. 
  * Use Counter Mode Cipher Block Chaining Message Authentication Code Protocol, a form of AES encryption used by 
Wireless Application Protocol 2 (WAP) enterprise networks sparingly. If possible, use more complex encryption 
technologies that conform to FIPS 140-2 as they are developed and approved. 
  * Implement a guest Wi-Fi network that is separate from the main network. Employ routers with multiple Service Set 
Identifiers (SSIDs) or engage other wireless isolation features to ensure that organizational information is not 
accessible to guest network traffic or by engaging other wireless isolation features. 

What else can you do to secure your network?

Employing active WIDS/WIPS enables network administrators to create and enforce wireless security by monitoring, 
detecting, and mitigating potential risks. Both WIDS and WIPS will detect and automatically disconnect unauthorized 
devices. WIDS provides the ability to automatically monitor and detect the presence of any unauthorized, rogue access 
points, while WIPS deploys countermeasures to identified threats. Some common threats mitigated by WIPS are rogue 
access points, misconfigured access points, client misassociation, unauthorized association, man-in-the-middle attacks, 
ad-hoc networks, Media Access Control spoofing, honeypot/evil twin attacks, and denial-of-service attacks.

The following list includes best practices to secure WIDS/WIPS sensor networks. Administrators should tailor these 
practices based on local considerations and applicable compliance requirements. For more in-depth guidance, see A Guide 
to Securing Networks for Wi-Fi (IEEE 802.11 Family) [ 
https://www.us-cert.gov/sites/default/files/publications/A_Guide_to_Securing_Networks_for_Wi-Fi.pdf ].


  * Use a rogue detection process capability. This capability should detect Wi-Fi access via a rogue client or WAP, 
regardless of the authentication or encryption techniques used by the offending device (e.g., network address 
translation, encrypted, soft WAPs). 
  * Set the WIDS/WIPS sensors to 
  * detect 802.11a/b/g/n/ac devices connected to the wired or wireless network and 
  * detect and block multiple WAPs from a single sensor device over multiple wireless channels. 

  * Enforce a no Wi-Fi policy per subnet and across multiple subnets. 
  * Provide minimal secure communications between sensor and server, and identify a specific minimum allowable Kbpsthe 
system shall provide automatic classification of clients and WAPs based upon enterprise policy and governance. 
  * Provide automated (event-triggered) and scheduled reporting that is customizable. 
  * Segment reporting and administration based on enterprise requirements. 
  * Produce event logs and live packet captures over the air and display these directly on analyst workstations. 
  * Import site drawings for site planning and location tracking requirements. 
  * Manually create simple building layouts with auto-scale capability within the application. 
  * Place sensors and WAPs electronically on building maps to maintain accurate records of sensor placement and future 
locations. 
  * Have at least four different levels of permissions allowing WIPS administrators to delegate specific view and 
administrator privileges to other administrators. 
  * Meet all applicable standards and, if Federal Government, comply with the Federal Acquisition Regulation. 
________________________________________________________________________

Author: NCCIC________________________________________________________________________

This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy 
& Use [ http://www.us-cert.gov/privacy/ ] policy.

body { font-size: 1em; font-family: Arial, Verdana, sans-serif; font-weight: normal; font-style: normal; color: 
#333333; } ________________________________________________________________________

A copy of this publication is available at www.us-cert.gov [ https://www.us-cert.gov ]. If you need help or have 
questions, please send an email to info () us-cert gov. Do not reply to this message since this email was sent from a 
notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT () 
ncas us-cert gov to your address book. 

OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ 
http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ 
http://www.us-cert.gov/related-resources ]  

STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]