From rogue APs to ad hoc networks, wireless
LAN policy violations can create a wide-open entry point to the
enterprise network. While policies are the first step to securing
wireless LANs, many enterprise WLAN policies quickly become just
another ignored, dust-collecting document.
Insights into the latest wireless
LAN security issues
The Top 10 Wireless
LAN Policy Violations
like to learn more about wireless LAN policies, register for the
LAN Policies webcast
with META Group Analyst Chris Kozup - June 3 at 2 p.m.
With a broad base of customers that includes more than 50 Blue Chip
companies and large government agencies, AirDefense collected data
to compile the 10 most common wireless LAN policy violations.
1. Unsanctioned or Rogue Access Points
- Unauthorized access points represent one of the biggest threats
to IT security today. While rogue access points have made headlines
in recent months, a research brief from META Group highlighted the
risks and need for enforcing a no-rogue policy:
points are rarely installed with even basic security enabled
(e.g., Wired Equivalent Privacy). Furthermore, even if WEP is
enabled, those with malicious intent may still gain access to
the corporate network using tools such as AirSnort and NetStumbler.
Regardless of the choice to deploy or ban wireless LANs, enterprises
must develop procedures to detect and decommission access points
while reproaching those responsible for breaking policy. Many
META Group clients have discovered substantial numbers of rogue
access points, and some clients are so serious about stopping
this occurrence that the offence is punishable by termination.
- Chris Kozup, META Group
Wireless Laptops - Like it or not, unsanctioned wireless
devices are making their way into enterprises from users who are
quick to adopt the increasingly ubiquitous technology. With a
$300 million marketing initiative, Intel's new Centrino wireless
chip progressing to a point where all new laptops will be WLAN
ready and will require security.
Even without a WLAN infrastructure of access points, unsanctioned
WLAN-enabled laptops introduce new headaches for IT security and
network managers. The unauthorized WLAN stations must be configured
properly to secure the user from connecting to unknown WLANs and
malicious WLAN stations, which can potentially access all local
files. While connected to the enterprise wired network, an attacked
WLAN-enabled station can be an onramp to the greater network.
Enterprises that previously banned wireless LANs for
security reasons are now being forced to reevaluate that policy
after executives begin using new WLAN-ready tablet computers.
3. Ad Hoc Networks - Similar
to rogue access points, ad hoc wireless networks represent another
major concern for wireless LAN security because they can put a
network at risk without security managers ever seeing the vulnerability.
Wireless LAN cards enable peer-to-peer networking between laptops
without an access point. These
ad hoc networks can allow an authorized user to transfer private
corporate documents and intellectual property to unauthorized
users without going over the corporate network. While wireless
LAN cards operate in ad hoc mode, the user must be able to trust
all stations within range because ad hoc networks offer little
authentication management and security. Malicious stations can
connect directly to authorized users and thus gain access to the
4. Access Points Advertising Slow & Unsafe Data Rates
- If properly deployed, enterprise 802.11b wireless LANs should
serve its user stations with a connection rate of 5.5 Mbps or
11 Mbps. The access points then are configured to only allow for
these desired data rates. However, an access point that allows
users to connect at the slower 1 Mbps and 2 Mbps speeds indicates
degraded network performance or potential suspicious activity.
A 1 Mbps connection on a properly deployed network indicates potential
suspicious activity from someone in the parking lot or down the
street with an antenna.
Points Configured for Both VPN & Open Authentication
- While security-conscious enterprises secure their wireless LANs
by authenticating all users through a VPN gateway, many enterprises
inadvertently configure access points to allow for both open authentication
and the VPN. While authorized users are authenticated through
the VPN, the open authentication allows any wireless station to
connect with the network by going around the VPN's steel door.
6. Accidental Associations with Neighboring
Access Points - Because RF signals of a wireless LAN
cannot be contained in most office environments, many enterprises
experience accidental connections between their wireless users
and neighboring wireless LANs. A station connecting to a neighboring
wireless LAN can divulge passwords or sensitive documents to anyone
on the neighboring network. Accidental associations can even link
the two companies' networks together through this end user station
as it bypasses all internal security and controls.
7. Nonstandard WLAN Access Cards
- Enterprise wireless LAN deployments are typically based on WLAN
hardware from approved vendors that support network security and
management configurations. Similar to unsanctioned stations and
access points, employees bring in consumer-grade wireless cards
that are not up to enterprise standards.
8. Default SSIDs or Too Much Detail in
SSID - Service Set Identifiers act as the public names
of a wireless LAN, so enterprises should be careful not to advertise
too much information in its networks' SSIDs. (SSIDs are openly
broadcasted as part of normal WLAN traffic, so any wireless hobbyist
identify these network names.) Upon deployment, all access points
should be configured for security, which includes proper naming
of the network through SSIDs. Hackers are often attracted to access
points with default SSIDs, such as "tsunami" from Cisco
and "101" from Symbol. If the SSID has not been changed,
it's not likely other security measures have been enacted on the
access point or WLAN segment. The default network names often
advertise that the wireless LAN is not properly secured.Similarly,
SSIDs that contain specific information about the WLAN deployment
should also be avoided. Using department names, such as "human
resources," "accounting" or "engineering"
can also attract hackers to the WLAN in search of personnel files,
financial information or intellectual property.
9. Insecure Windows XP Settings
- Wireless LAN policies should apply to every wireless station
and device, and Windows XP compounds the issue with several default
settings that risk security vulnerabilities.While the Wi-Fi friendly
features of Windows XP are great for usability and the growth
of WLANs, they can also create policy headaches by forcing IT
managers to maintain secure configurations of XP on all clients.
In default modes of Windows XP, a wireless-enabled laptop automatically
searches for an access point with which to connect. Some of the
insecure settings include:
" Automatically connecting to all unapproved wireless network
" Sending out beacons in search of all access points the
stations has previously connected with; and
" Dual-mode of operation to allow for both infrastructure
(access points) and ad hoc (peer-to-peer) networking.
10.Off-Hours Traffic - With wireless LANs operating
on the uncontrolled wireless medium and RF signals extending beyond
the walls a building, many enterprises limit WLAN usage to set
office hours. Concerned about late-night hackers in the parking
lot, some enterprises even take steps to turn off the access points
during non-office hours whereby all wireless LAN activity during
off-hours can be identified as suspicious.
here to register
for the Wireless LAN Policies webcast
with META Group Analyst Chris Kozup.