Combating wireless LAN security risks can be tricky and stressful enough even for a veteran networking pro, but the stakes get even higher when a slip-up could cost millions in non-compliance fees and stolen credit card
"A lot of people think they have good wireless security, but they don't understand what wireless security is. You cannot protect wireless the same way you protect wired," said John Kindervag, senior analyst at Forrester Research, who recently authored PCI X-Ray: Wireless Guidelines. "Wireless [networking] requires an enhanced level of paranoia. If you're deploying wireless and you're not paranoid, you're not doing it right."
Not every PCI DSS wireless guideline should be interpreted as a compliance requirement -- such as "generally applicable" statements -- but should be considered de facto wireless LAN security best practices even for enterprises that don't fall under compliance mandates, Kindervag said.
"You have to understand that it's there to help educate you -- not create another set of rules," he said. "People ignore wireless security…. Their infrastructure people deploy it, and they don't think about how it's going to be attacked. They just think, 'Oh, we deployed it properly, blah blah blah.'"
Meeting and circumventing PCI DSS wireless guidelines
At the University of San Diego (USD), a private institution with 7,800 students, the need to defuse wireless LAN security risks and meet PCI DSS compliance collided when USD launched its campus-wide Wi-Fi network more than five years ago. In its first iteration, network access only required registering a username with an email address, according to Doug Burke, director of network and telecommunications services at the college.
"We discovered that we had a lot of people using our guest wireless as we were going along and getting a bit nervous about the fact that occasionally I'd get a call saying, 'You know, there's this man that sits outside our office with a laptop and it's at night,'" Burke said.
In response, the university required a credit card for authentication purposes only. But, seeking to recover the fees they paid to credit card companies to process the transactions, USD eventually began charging for guest Wi-Fi access -- solving one security problem but opening up the network to PCI DSS wireless mandates.
Instead of engineering a solution, Burke and his team networked around the problem by using eTIPS from Avenda Systems, a network access control (NAC) appliance, to route all credit card transactions over the Internet to a third-party company. The data never touches the USD network, he said.
Although guest Wi-Fi registration presented the biggest PCI DSS wireless challenge for USD, its networking team still had to segregate and secure the wireless registers the university's dining services use to sell food and beverages in the bleachers at football games, said network administrator Charlie Koehler.
To minimize wireless LAN security risks and maintain PCI DSS wireless compliance, devices are issued a reserved IP address and must undergo MAC address authentication, Koehler said. This not only prevents rogue devices from accessing the WLAN, it also limits some of the chattiness between client and AP.
"Because all the IP addresses are hard set … there's no DHCP request happening, so nobody can intercept what's going on," Koehler said. "Initially, we had our concerns [about whether wireless] was safe enough to carry people's credit card numbers, but through all the tools we put in place, we could easily [secure] that [data]."
VLANs, hidden SSID don't meet PCI DSS wireless guidelines
Enterprises with older WLANs are the most at risk of violating PCI DSS wireless requirements, Kindervag said. Those networks typically use security protocols, such as Wired Equivalent Privacy (WEP), alongside individually managed, or "fat," access points (APs) with few security features.
Enterprises often think they can mitigate wireless LAN security risks by not broadcasting the network's service set identifier (SSID), but Kindervag said it's a "dangerous" assumption that can actually make an attack easier for hackers -- especially if enterprises treat it as a first line of defense.
"It causes the client and the AP to go nuts trying to talk to each other," he said. "[Wireless] is a lonely chatty protocol, wishing someone would talk to it. It means you can't hide from attackers…. People think they can hide from them by turning off their SSID -- by becoming invisible like it's the Harry Potter cloak, but there is no Harry Potter cloak in wireless security."
Migrating to 802.11n is a good way to ease PCI DSS wireless compliance requirements because many of the newer systems have more robust security systems and use stronger protocols, such as Wi-Fi Protected Access (WPA) or WPA2, Kindervag said. Centralized management consoles in newer systems can also help with detecting rogue APs and keeping an audit trail for approved devices.
"People will upgrade for performance reasons and get the security benefit without realizing it," he said.
Complying with PCI DSS wireless guidelines also requires deploying a wireless intrusion detection system (IDS) or wireless intrusion prevention system (IPS) to meet requirements for device scanning and rogue AP detection. Enterprises often avoid spending money on wireless IDS/IPS and find manual workarounds, but "that's the one place where you should spend," Kindervag said.
Network segmentation is a clear directive for complying with PCI DSS wireless guidelines, but enterprises are mistaken if they believe virtual LANs (VLANs) are the answer, Kindervag said. Security mandates require that in-scope devices -- parts of the network that credit card data touches -- be firewalled off from the rest of the network, he said.
"VLANs are not for security at all. Zero. All caps: ZERO," he said. "It's like you're driving down the highway and there's a yellow line there you're not supposed to cross…. VLANs are yellow lines that tell packets to stay within those boundaries. But if attackers want to move them across [the boundary], they can."
Let us know what you think about the story; email: Jessica Scarpati, News Writer