Securing Wireless LAN
Despite the constant increase in security features of wireless LAN products and technology, the risk of attack and penetration remains high. As with wired networks, it is only a matter of time before someone breaches the security on your wireless network.
Understanding the criminals' goals, tricks, and techniques will help ensure that you and your wireless devices and network remain secure and one step ahead of them. Wireless LANs must be secured against attacks from both hackers and improper use.
Besides ensuring that you take the best measures against any possible attack on the network, wireless security experts agree that a strict security policy may help reduce the vulnerability of wireless LANs.
It is a good idea to understand how to develop and integrate an effective wireless security policy into your enterprise to ensure wireless LAN continuity.
Let's we talk about developing practical wireless LAN security policies that work. Let's discuss the process of developing and establishing wireless LAN security policies and how to integrate them into an organization.
Establishing Security Policy
A wireless LAN security policy establishes information security requirements for a deployment to ensure that confidential information and technologies are not compromised and that network resources and other computing devices are protected.
In order to establish a successful security policy, you must understand your security policy requirements, create the policies, and deploy them carefully by announcing them among the LAN users.
Security Policy Requirements
Your security policy requirements are often dictated by the threats that you need to secure your wireless LAN against. Threats that a wireless LAN deployment may be vulnerable to depends, at least, on the deployment scenario (for example large enterprise and government wireless LANs might be of higher interest to an adversary).
- The confidentiality of the data in the wireless LAN (for example, a LAN containing financial data would be more vulnerable than a LAN containing publicly available information on Shakespeare's Romeo and Juliet).
- The physical location (for example, a wireless LAN located in the middle of nowhere would be difficult to reach compared to a wireless LAN in the middle of a city).
- And the LAN resources (for example, a high−bandwidth Internet connection would be more appealing to a hacker than a LAN that is not connected to the Internet).
When creating a wireless LAN security policy, you should consider, at least, user authentication, data privacy, measures against known wireless LAN attacks, AP configuration parameters, client−side configuration risks, and measures against war driving as the primary requirements of your wireless LAN security.
- Authentication
Uncontrolled wireless access can allow attackers to read email, sniff passwords, gain administrative access to machines, plant access to machines, plant Trojan horses or back doors, and use wireless access points to launch other attacks.
A wireless LAN security policy must require an adequate level of authentication to ensure that most possible threats are minimized.
- Data Privacy
The data in a wireless LAN is vulnerable to tampering and spoofing. An adversary within the range of wireless LAN radio waves can monitor the LAN traffic and intercept the data.
If the data is not encrypted, the adversary can easily modify the data or gain access to confidential information. A good security policy will require that all data transmission over a wireless LAN must only take place in encrypted form. Also, any confidential data must never be exchanged over a wireless LAN.
- Measures Against Attacks on Wireless LAN
A wireless LAN security policy must include provisions to deter attacks on the wireless LAN. It must address, at least, the following known attacks.
- Wireless Device Insertion Attacks
The insertion attack on a wireless LAN is conducted by a hacker or an adversary by placing or brining a wireless LAN device well within the range of a wireless LAN.
If a wireless LAN is not properly configured, the adversary can make the wireless LAN believe that the LAN device he or she introduces is a legitimate client of the wireless LAN and gain access to the LAN. There are two common attacks on wireless LANs:
- Unauthorized Wireless LAN Clients. Unauthorized wireless LAN clients are mobile computers or other computing devices that have a wireless LAN adapter installed and can forge a LAN user to gain access to the LAN.
- Enforcing MAC−level and the use of 802.1X−based authentication can deter the insertion attacks by unauthorized wireless LAN clients.
- Rogue APs. Hackers may also place a wireless LAN AP within the operating range of a wireless LAN to impersonate a real AP. In this case, the wireless LAN adapters may be fooled into believing that the rogue AP is, in fact, a legitimate AP.
The rogue AP operator, the hacker who installs a rogue AP, can easily gain authentication information from users when they authenticate themselves to the AP.
Once the hacker has the user−authentication information, he or she can easily use a laptop computer to gain access to the wireless LAN.
- The best way to counter the rogue AP attack is by constantly scanning for rogue APs in the coverage area for a wireless LAN. Radio scanners can detect the periodic beacon of the APs to determine if there are any rogue APs present in the LAN.
- The insertion attacks are also known as intrusion attacks as the intruder, in this case, can easily gain access to the LAN. It is important that a good wireless LAN security policy contains primitives for detecting insertion attacks.
- Hijacking Secure Socket Layer (SSL) Connections
Today, Web servers on the Internet use an encryption protocol called Secure Socket Layer (SSL) for secure data transmission over the Internet.
Most financial transactions that take place over the Internet, for example stock purchases from an online stockbroker or a book purchase from an online bookseller, take place using the SSL protocol.
If a Web server is connected to a wireless LAN and an intruder gets access the wireless LAN, he or she can gain access to the Web server and conduct an attack known as SSL highjacking in which an intruder gains access to the Web server and controls the data.
AP Configuration Parameters
Most APs out of the box from the factory are configured in the least secure mode possible. Adding the proper security configuration is left up to the individual setting up a wireless LAN using the equipment.
For example, most APs come with a default SSID. An attacker can use these default SSIDs to attempt to penetrate base stations that are still in their default configuration.
Unless the administrator of the APs understands the security risks, most of the base stations will remain at a high−risk level. A good security policy must require that the AP configuration parameters are frequently checked to ensure their proper configuration.
Client Side Configuration Risks
If wireless LAN client computers are incorrectly configured, for example if the security parameters are incorrectly configured or are modified by the user as a mistake, the client computer may reveal critical information that can be picked up by a hacker resulting in the LAN compromise.
A good security policy will require that only authorized users modify the client's wireless LAN configuration.
War Driving
War driving is a new activity in which hackers drive around town with a laptop computer equipped with a wireless LAN adapter and a wireless LAN signal monitoring software with the objective of locating APs and recording the GPS coordinates of the AP location.
Hackers normally share maps describing the geographic locations of APs on the Internet. If a company has its AP location and information shared on the Internet, its AP becomes a potential target and increases its risk.
One of the popular places to upload war driving AP maps is www.netstumbler.com. It includes a visual map and a database query tool for locating various APs. A good security policy will include frequent monitoring of such Web sites and periodic change of the SSIDs of the APs.
Creating Security Policy
A carefully created wireless LAN security policy includes primitives to address most of the security requirements.
Creating a security policy for a wireless LAN involves understanding your needs, following a guideline that helps you define the basic parameters that your wireless LAN security policy will enforce, and finally documenting them in an easy−to−follow document that outlines the overall security policy.
Wireless LAN Security Policy Guidelines
The wireless LAN security policy guidelines vary for each deployment. Following are some of the basic wireless LAN security policy guidelines that can be used to create a security policy for wireless LAN access and management.
- Treat All Wireless LAN Devices as Untrusted on Your Network
You should consider all wireless LAN client computers to be untrusted, which means that you assume that any wireless LAN client equipment operating in a LAN could be a rogue computer unless authenticated.
Using this primary assumption reminds you not to rely on the inadequate security primitives that many insecure wireless LANs rely upon.
For example, if you consider all client computers equipped with wireless LAN adapters as insecure, you will not use MAC address−based authentication as the sole authentication mechanism.
- Require the Highest Level of Wireless LAN Authentication
You Can Afford The cost of wireless LAN security infrastructure is falling with advancements in wireless LAN technology. You should try to acquire the highest level of wireless LAN security infrastructure you can afford.
You should require in your policy that all APs and client computers must be configured to use the authentication system that is defined in your security policy. For example, use 802.1X authentication protocol for authenticating your wireless LAN users.
- Define a Standard Configuration for APs and Wireless LAN Adapters
Your wireless LAN policy must define a standard configuration for wireless LAN adapters and APs. Users deviating from the standard configuration must not be allowed to access the wireless LAN.
- Allow Only Authorized Equipment to Be Used in the Wireless LAN
A well−defined security policy will not allow individuals to select their own wireless LAN equipment or software. Though this restriction seems too stiff sometimes, it helps limit the vulnerabilities that unknown equipment may add to the wireless LAN.
For example, your policy should allow only a given set of wireless LAN adapters to be used in a wireless LAN.
- Discourage Users from Sharing Their Wireless LAN Computers with Unknown Individuals
You should discourage your wireless LAN users from sharing their computers with outsiders. This policy helps keep your wireless LAN configuration information private, available to the LAN users only.
- Use Firewalls and VPNs to Secure Your Wireless LAN
Your policy should require that all computers that require high security be protected using firewalls, and all remote access to the LAN must be protected using VPNs.
- Enable Strong Encryption When Available
Your policy should choose the strongest available encryption technology and require that all wireless LAN devices use the chosen encryption technology.
For example, 802.11 standard uses RC4 as its encryption algorithm and WEP as its security protocol. You should require the use of WEP by all devices that use your wireless LAN.
- Allow Only Authorized Personnel Access to APs and Other Critical LAN Equipment
Your wireless LAN security policy must restrict who can manage the LAN equipment. For example, passwords to the AP configuration software must only be distributed among the administrators of the wireless LAN.
Communicating Security Policy
The wireless LAN security policy should be added to every organization's compliance policy that uses wireless LANs. The wireless LAN security policy should be briefed to all employees, especially those who will be using the wireless LAN.
The policy and its importance should be properly explained to each individual LAN user. The policy document should be placed along with other corporate documents that define the corporate policies.
Security Policy Compliance
Compiling a wireless LAN security policy and communicating it to users could be a simpler task when compared to ensuring user−compliance. To make sure that wireless LAN users are, in fact, following the security policy, you must monitor their security policy behavior.
In addition, any legal policy must be consulted with legal professionals and local law enforcement authorities. Following are some of the commonly practiced ways to monitor security policy in an organization.
- Use computer system logs to ensure that users are following the security policy that you have enforced.
- Make sure that all users frequently change their passwords.
- Users must be required to regularly scan their computers for computer viruses.
Intrusion Detection and Containment
It is important to detect any activity aiming to intrude into the privacy and security of the wireless LAN. All such intrusion activities must be properly detected and contained. Following are some of the common means of detecting intrusion.
Wireless LAN AP Monitoring Software
Wireless LAN AP monitoring software can be used to monitor the presence of APs within a wireless LAN coverage area. Monitoring the APs in a wireless LAN at a given time shows all APs that will be operating at the given time.
A rogue AP or an unknown AP operating in a wireless LAN can be easily detected using the monitoring software. If an unauthorized AP is found to be operating within the area that the organization physically controls, it should be immediately turned off and reasons for its operation must be sought from the operators of the AP.
If the questionable AP is found to be present in the physical area outside the organization's control, the operators should be contacted to find out whether they are using it for legitimate purposes or the AP belongs to a hacker.
If the AP is found to be operated by an unknown entity, law enforcement authorities should be contacted and any possible network security breaches must be assessed.
Intrusion Detection Software
Intrusion detection software operates by constantly monitoring network traffic and activities. Most intrusion detection software is capable of analyzing the network traffic to heuristically determine any known network security breaches and alarm the network administrator (by paging, for example) when they encounter such activities.
All intrusion activities must be taken seriously and, if any such activity is found to have happened, all possible security attacks must be properly responded to.
Antivirus Software
Viruses are most common danger to any LAN and standalone computers. Antivirus software can be scheduled to perform routine checks of all network file systems and user computers to make sure that they do not contain files with viruses.
Most popular antivirus software, for example Norton Anti−Virus from Symantec Corporation, is updated by manufacturers on a regular basis to provide security from any new computer viruses found.
Firewall and Router Logs
Most firewalls and routers are capable of logging any suspicious activities that could be geared towards destroying, damaging, or degrading a LAN performance or gaining illegal or unauthorized access.
For example, most firewalls today are able to deter any denial−of−service (DoS) attacks. They log all network activity that could result in DoS.
If a firewall or router log displays any suspicious activity from a computer inside or outside the organization's control, appropriate measures must be taken to deter and or stop such attacks, and law enforcement authorities should be contacted if the threat is of a serious nature.
Network Login and Activity Logs
Most operating systems and authentication servers, for example RADIUS servers, are capable of logging any suspicious login attempt.
Hackers, for example, conduct an attack commonly known as the brute−force password attack in which they try to log in to a LAN by attempting possible combinations of username and passwords until they are successful. Attacks of this nature can be easily detected by monitoring these logs frequently.
While new security techniques are constantly being invented and improved upon, hackers are also busy creating new security threats to LANs and computers in general.
Though wireless LANs are a relatively new type of LAN and fewer attacks and threats on wireless LANs are known at this time, it is important to watch out for any new security threats that might become prevalent.
To ensure wireless LAN security, it is important that you plan for dealing with the future security challenges by keeping up with the latest development in the security infrastructure of wireless LAN technologies.
The use of digital certificates and the public key infrastructure (PKI), for example, must be considered in the near future to provide user authentication and data privacy. Network authentication may also be improved by using newer technologies like DNA fingerprints.