WLAN Watch - Wireless Security Newsletter

Layered Approach to WLAN Security

This article is an excerpt of the "Wireless LAN Technologies for Security & Management" white paper.
Click here to request a copy of the entire white paper

While a wireless LAN can be installed by simply plugging an access point into an Ethernet port, an enterprise wireless LAN deployment requires a more thought-out plan that incorporates advanced security and management technologies.

The attention on the pitfalls of wireless LANs, such as the deficiencies of WEP or 802.1x, has inspired some enterprises to ban wireless LANs altogether. However, security-conscious enterprises are fortifying their wireless LANs with a layered approach to security that mirrors the security of wired networks. This layered approach to security addresses all network components by locking down the wireless LAN's perimeter, controlling access to the wireless LAN, protecting the data, and monitoring network traffic.

A multi-layered approach will provide the most comprehensive defense against malicious as well as unintentional attackers.

— META Group, June 2002

Perimeter Control
Enterprise wireless LAN security begins with perimeter control, which is like installing a firewall to the wired network. Perimeter control for the wireless LAN includes a deployment of enterprise-class access points that offer advanced security and management capability. The wireless LAN should be segregated from the enterprise wired network as part of a VLAN to allow for wireless-specific management and security policies that do not affect the wired network.

All access points should be completely locked down and reconfigured from their default settings. The SSIDs and passwords of the access points should be changed from their default names. Some organizations choose to establish set channels of operation for each AP to identify all off-channel traffic as suspicious activity.

Access Control
The next layer of wireless LAN security is to control which stations can access the wireless LAN. Most access points come with simple MAC address filtering that maintains a list of approved stations' MAC addresses. While this is not foolproof, MAC address filtering provides basic control over which stations can connect to your network.

Organizations that rely upon MAC address filtering for access control leave themselves vulnerable to simple identity thefts where a novice hacker can spoof the MAC address of an authorized user and gain access to the network. Larger enterprises with more complex wireless LANs with hundreds of stations and dozens access points may require more complex filtering from remote authentication dial-in service (RADIUS) servers.

Data Protection
Encryption and authentication provide the core of security for wireless LANs. However, fail-proof encryption and authentication standards have yet to be implemented.

Wired Equivalency Privacy (WEP), the standard encryption for wireless LANs, can be broken. With authentication vulnerabilities stemming from WEP, the wireless LAN standards group introduced 802.1x as strengthened authentication for all 802.11 networks. However, 802.1x also has shown to be vulnerable to hackers. (See "An Initial Security Analysis of the IEEE 802.1X Standard" a paper by University of Maryland professor William Arbaugh.)

By year-end 2002, 30 percent of enterprises will suffer serious security exposures from deploying WLANs without implementing the proper security.

— Gartner Group, August 2001

Because these encryption and authentication standards are vulnerable, stronger encryption and authentication methods should be deployed to more completely secure a wireless LAN. For organizations that already have virtual private networks, add-ons can be deployed to protect the data of a wireless LAN.

For organizations that seek to avoid the hassle of distributing and maintaining client software as required by a VPN, stronger encryption and authentication is available from vendors, such as Cisco, which offers Lightweight Extensible Authentication Protocol (LEAP) and Protected Extensible Authentication Protocol (PEAP). Wi-Fi Protected Access (WPA) is expected to replace WEP as the accepted encryption standard in the second half of 2003. Enterprises that seek to avoid the security flaws of WEP should deploy WPA, LEAP, or PEAP and establish a policy that all WLAN traffic must use the selected encryption and authentication.

Data Protection Technologies

WEP	Wired Equivalency Privacy - Original security standard for wireless LANs. Flaws were quickly discovered. Freeware, such as WEPCrack, can break the encryption after capturing traffic and recognizing patterns in the encryption. (Adopted industry standard)
802.1X	Port-based authentication for wireless LANs. University of Maryland professor published vulnerabilities in early 2002. (Adopted industry standard)
LEAP	Lightweight Extensible Authentication Protocol - Based on the 802.1x authentication framework, LEAP mitigates several of the weaknesses by utilizing dynamic WEP and sophisticated key management. LEAP also incorporates MAC address authentication as well. (Developed by Cisco)
PEAP	Protected Extensible Authentication Protocol - Securely transports authentication data, including passwords by using tunneling between PEAP clients and an authentication server. PEAP makes it possible to authenticate wireless LAN clients without requiring them to have certificates, simplifying the architecture of secure wireless LANs. (Developed by Cisco, Microsoft, and RSA Security)
WPA	Wi-Fi Protected Access - Subset of the future 802.11i security standard. Designed to replace the existing WEP standard. WPA uses Temporal Key Integrity Protocol (TKIP), which generates new keys for every 10K of data transmitted over the network, making it more difficult to access. (Industry standard to be adopted in 2003)

Network Monitoring
The final layer of wireless LAN security requires monitoring of the network to identify rogue WLANs, detect intruders and impending threats, and enforce WLAN security policies.

Network monitoring must scale to fit the specific needs of an enterprise. Some piece-meal solutions work for smaller organizations but do not scale for large enterprises with dozens or hundreds of locations around the country. Large enterprises require a cost-effective solution that can be centrally managed and does not overtax personnel resources.

Wired-Side Intrusion Detection - A wired-side intrusion detection system (IDS) offers absolutely zero ability to detect rogue wireless LANs but can be useful in a limited capacity. While intruders entering the network through a rogue wireless LAN appear mostly as authorized users, a wired-side IDS may alert IT security managers when the intruder tests wired-side security measures.

Wired-Side Scanners - Wired-side scanners monitor the traffic once it reaches the wired network and can identify some rogue devices on the network but cannot detect Soft APs, ad hoc networks, accidental associations to neighboring WLANs, or access points with cloned MAC addresses.

Wired-side scanning can be centrally managed for a large enterprise but does not work well across subnets unless the network is configured with proper authorizations for polling requests to go across different routers. This may require reconfiguring various routers while causing extra effort and additional security risks. For this reason, wired-side scanning does not scale to support the needs of larger enterprises.

Wireless Sniffers & Scanners - Wireless sniffers and scanners differ greatly from wired-side tools because wireless sniffers and scanners capture and analyze wireless LAN packets from the air. By monitoring the airwaves for all wireless LAN activity, wireless sniffers and scanners detect most access points and active wireless stations within range. They also can provide detailed information about the configuration and security employed by each device.

Both sniffers and scanners are limited by their need for a network administrator to physically walk the area with a laptop or hand-held device running the sniffer or scanner application. A September 2002 research brief from META Group questioned the viability of wireless sniffers and scanners for enterprise security.

Current radio frequency scanning tools such as Sniffer Wireless and AirMagnet are limited in their ability to perform scalable and repeatable audits.

— META Group, September 2002

While this process requires the physical presence and valuable time of a network manager, the effectiveness is limited because it only samples the airwaves for threats. New rogue access points and other vulnerabilities can arise after a scan and will not be detected until the next time a network administrator surveys the network.

This approach is particularly unreasonable for enterprises operating dozens of offices around the country or retailers with hundreds of stores. Even if these organizations could feasibly devote a network administrator's full attention to survey each site on a monthly basis, rogue access points and other vulnerabilities can pop up the minute the survey is completed.

24x7 WLAN Monitoring - Wireless LAN security experts advocate 24x7 monitoring of the airwaves to secure wireless LANs by identifying rogue WLANs, detecting intruders and impending threats, and enforcing WLAN security policies.

To truly secure wireless LANs, enterprises must monitor their airwaves to detect intruders and threats that can come from unscrupulous hackers and well-meaning employees. Monitoring the airwaves of a wireless LAN is an essential element of security that should also include advanced encryption and authentication.

— Gartner, November 2002

Real-time, 24x7 monitoring of wireless LANs can only be provided with a distributed system of remote sensors that passively monitor all WLAN activity and report back to a central appliance that analyzes the traffic for threats, attacks, and policy violations. This approach scales to support wireless LANs in a single office or hundreds of access points in dozens of locations around the world.

This article is an excerpt of the "Wireless LAN Technologies for Security & Management" white paper.

Click here to request the full
Wireless LAN Technologies for Security & Management
White Paper