Tips on locking down your WLAN

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,87705,00.html

Story by John Cox
DECEMBER 01, 2003 
NETWORK WORLD 

In August, engineers with AirDefense Inc., a wireless LAN security
software vendor, made war drives in Atlanta, Chicago and San
Francisco, using scanners to find WLAN access points around downtown
office buildings.

The drivers discovered more than 1,100 access points. Of these, 57%
weren't using any form of data encryption, although most of the actual
data traffic in Chicago and San Francisco was encrypted by other
means, such as a VPN. Three-quarters of the access points were
broadcasting their Service Set Identifier (SSID), which is like hiding
in a game of hide-and-seek while carrying a boom box blaring heavy
metal.

The WLAN out of the packing boxes is inherently unsecure. But the
final WLAN security system you create will hinge on what data you want
to protect, how valuable it is and the level of risk to that data.  
Good WLAN security is expensive: in time, training, maintenance,
oversight and in hardware and software costs.

The following recommendations assume an enterprise WLAN of 150 to 500
access points, up to several hundreds of users and a relatively high
requirement for protection.


1. Control the wireless clients.

Standardize the WLAN network interface cards (NIC), block user access
to them, and register their media access control (MAC) addresses.

Create and enforce procedures and policies for promptly updating
clients with software patches and security updates, and for blocking
clients running out-of-date software.

Consider disabling NICs' ad hoc or peer-to-peer mode, which lets
clients connect to each other without an access point. Attackers can
use this feature to lure or force clients to associate with a rogue
WLAN.


2. Treat the WLAN as you do the Internet - as untrusted.

Put a firewall between the WLAN and the wired network. This barrier
blocks unauthenticated WLAN users from sending Layer 2 packets on to
the wired network, for example, as part of an Address Resolution
Protocol (ARP) attack. A successful ARP assault lets the attacker
route traffic between two computers on your network through his own
computer.


3. Protect the access points.

Conceal access points behind ceiling panels or in closets, and secure
them to prevent tampering. At one university, someone pulled out the
PC cards from more than 100 access points and tried to sell them on
eBay.

Hide access points from attackers by changing the factory default
settings for the SSID or IP address information, creating difficult
passwords, and turning off SSID broadcasting.

Turn on Access Control Lists for use with client MAC addresses.

Select access points that use flash memory, to simplify future
upgrades of security patches and of still-developing security
standards.

Consider buying access points that let you create virtual LANs (VLAN).  
VLANs let you group users and give the groups access to different
network resources. VLANs also let you separate management traffic from
user traffic.


4. Prevent radio waves from "leaking" out of your site.

You can "shape" radio waves by replacing the standard omni-directional
antenna with a directional antenna, especially on the edges of your
site.

Another technique is to adjust the power levels of the radios. Using
less power means the signal doesn't reach as far.


5. Update NICs and access points with WPA, but don't rely solely on
it.

Wi-Fi Protected Access (WPA), an early release of the upcoming IEEE
802.11i standard, fixes a number of problems in the original 802.11
encryption scheme called Wired Equivalent Privacy (WEP).

Among other things, WPA supports 802.1x, which was originally created
as an IEEE standard for port-based authentication on wired networks.

But WPA still uses what's called a stream cipher to encrypt wireless
traffic, instead of the more powerful block ciphers. Block ciphers are
used in Triple-DES and, especially, the Advanced Encryption Standard
(AES). AES will be part of the 802.11i standard and likely will
require new WLAN hardware that's been revamped to handle the
additional processing load.

Make sure the cipher scheme that you choose encrypts the packet's
payload.


6. Use a VPN.

VPNs, with IP Security (IPSec) or Secure Sockets Layer (SSL)  
encryption, still are widely seen as the best protection, although
there are an array of limitations: handling only IP traffic and not
AppleTalk or IPX or other protocols, installing code on client devices
(for IPSec VPNs), forcing users to reauthenticate when moving between
access points, bandwidth-intensive operation, administrative overhead,
and greater complexity as the size of the WLAN grows.

But VPNs are well understood and are often already part of the
enterprise for remote access. They create secure, end-to-end
encryption, authentication (often via RADIUS servers) and access
control.


7. Complement the VPN with a third-party wireless security controller.

On the market for about two years, security gateways solve some of the
problems of using VPNs for WLANs. Many incorporate firewalls and VPN
termination, support roaming among access points and across subnet
boundaries, and centralize security administration.

Controllers can run an array of encryption and authentication schemes,
and vendors are adding in the emerging standards such as 802.1x and
one or more of the Extensible Authentication Protocol (EAP) methods
that 802.1x can support.

A range of these security features are also found in WLAN "switches,"  
devices that combine a centralized box - which applies to WLAN traffic
the management, control and provisioning features found in wire-line
switches - with companion, highly simplified wireless access points.


8. Plan for 802.1x authentication.

VPNs for WLANs will be supplanted by the gradual implementation of
802.1x authentication and the other elements in the IEEE 802.11i
standard, such as better encryption, and management and distribution
of encryption keys.

But some early adopters of 802.1x are running into problems:  
overloading the processing power of the access points, complicated
troubleshooting, and lack of 802.1x support in various client
operating systems and NICs. Their experiences suggest that 802.1x
implementations will be gradual as vendors work out the kinks.

Within 802.1x, you have several EAP methods from which to choose. For
all-Cisco or all-Microsoft shops, it makes sense to go with Protected
EAP (PEAP), jointly authored by Cisco Systems, Microsoft Corp. and RSA
Security.

Methods such as Microsoft's EAP-Transport Layer Security require
digital certificates on clients and servers, and the complexity of the
attendant public-key infrastructure. Others, such as EAP-Tunneled
Transport Layer Security, are designed not to require client
certificates, so users can trigger the authentication process with the
same username/password they use to access the wired LAN.

Stick with a method that supports mutual, or two-way, authentication,
to prevent man-in-the-middle attacks.


9. Monitor the network.

A growing number of analyzers and monitors let you examine WLAN radio
traffic, discover unauthorized access points, block or disconnect
clients as needed, and detect intruders. Some products are Ethernet
sniffers adapted to handle WLAN packets, others are specifically
designed for WLANs. Vendors include AirDefense, AirMagnet Inc.,
Finisar, Network Associates Inc., WildPackets Inc. and YellowJacket.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.