Many early Wi-Fi adopters have relied upon manual configuration of stations -- laptops, PDAs, and desktops with 802.11 network adapters. This approach is workable in trial or limited deployments. But, as Wi-Fi becomes more pervasive within business networks, companies are seeking more control over wireless station configuration and behavior. Stopping risky wireless connections to ad hoc peers and rogue access points (APs) may start with user education, but what options do companies have to centrally define, configure, monitor, and enforce wireless station settings?
Wi-Fi configuration challenges and limitations
Connecting to unprotected Wi-Fi networks can be easy -- too easy. Many Wi-Fi adapters ship with client software that automatically discovers nearby peers and APs. Users can often connect to those which are unsecured with one click. Windows XP takes this further with Wireless Zero Configuration (WZC). Initially, WZC connected stations automatically to any discovered wireless device. Subsequent service packs have modified defaults, but WZC still prompts users to connect to all "available networks." Once a user accepts, those connections are automatically re-established whenever the station is near any WLAN with the same name (i.e., called an Extended Service Set Identifier, or ESSID). As a result, many users engage in risky behavior by accidentally or intentionally connecting to unknown wireless devices, sending cleartext traffic over the air and creating an open door for station compromise.
On the flip side, connecting to secure Wi-Fi networks can be far too difficult. Wi-Fi client software and WZC present an awkward array of security parameters to end users. Older products required users to enter hexadecimal WEP keys. Newer products offer users a choice between having keys supplied automatically (WPA-Enterprise) or entering a secret passphrase (WPA-Personal). But users must still to choose between TKIP and AES, WPA and WPA-PSK. You might think automatic keys would be easier, but even this choice requires configuring another half-dozen esoteric parameters like 802.1X EAP type, trusted root certification authority, and authentication method. Even techie users who understand these acronyms, or those who carefully follow admin-supplied instructions, can easily make mistakes and become frustrated by retries and failures.
In the long run, asking end users to manually configure trusted wireless network parameters and avoid untrusted wireless connections is "a bad idea." A decade ago, we expected users to configure their own LAN cards and modems. Today, most companies use network infrastructure, pre-configured client software, and centralized management tools to do those jobs. As Wi-Fi matures, wireless configuration will follow suit.
Centralizing corporate control
A variety of enterprise solutions already exist for centralized definition, delivery, update, and enforcement of desktop, laptop, and even PDA network and security policies. Many of these can be leveraged to centrally-configure Wi-Fi adapters, detect out-of-policy configurations, or even prevent end-user reconfiguration. Products that may be helpful in this endeavor fall into several categories.
Traditional desktop management systems are being extended to include policies which govern Wi-Fi adapter configuration. For example, Microsoft Windows Server 2003 Group Policy enables centralized configuration management for computers and Windows domain users, based on registry settings, remote software installation, and script invocation. By using Active Directory to distribute Group Policy Objects (GPOs) to managed Windows XP and 2000 PCs, administrators can set 802.11 and 802.1X parameters. These wireless network policy settings take precedence over user-defined settings for infrastructure or ad hoc mode connections. If wireless settings are defined both locally (by the user) and in a GPO (by the administrator), those settings are merged. The user can't change GPO-defined networks or the order in which they are applied. While this doesn't completely lock-down wireless adapter configuration, it can automate proper configuration of corporate WLAN settings -- for example, requiring server certificate checking to avoid accidental connection to "evil twin" rogue APs.
Centrally-managed endpoint security suites like CheckPoint Integrity, InfoExpress CyberGateKeeper, Senforce Endpoint Security, and Sygate Secure Enterprise can also play a role in Wi-Fi station management. These products monitor and enforce security product presence, configuration, and status on devices used for corporate network access. Endpoints, whether connecting over dial-up, residential broadband, Ethernet, or wireless, are scanned at connect time, granted admission if they pass muster, or denied/quarantined if they don't. Agent software, installed on each endpoint with an initial policy, communicates with a central policy server to report status and receive policy updates. Products like these are well-positioned to check and perhaps configure Wi-Fi adapter security parameters. For example, CheckPoint Integrity can recognize and enforce wireless-specific policies for authorized WLANs. Senforce Wi-Fi Connectivity Control can prevent users from "seeing" anything other than company-specified ESSIDs, using the company-specified wireless NIC. Such measures could potentially stop employees from using work laptops to connect to ad hoc or home WLANs.
Wireless management products like Wavelink Avalanche, CA Wireless Site Management, or Credant Mobile Guardian provide central administration of mobile device security features and policies. Early products in this field were largely WEP key managers, designed to rotate static WEP keys at regular intervals to avoid cracking. Today, demand for third-party WEP key rotation has largely evaporated, replaced by 802.1X-based dynamic key delivery in WPA/WPA2. However, scalable management of mobile devices is still very necessary, so these products have stepped in to fill perceived gaps. For example, Wavelink Avalanche (PDF) can push wireless network profiles to mobile devices, setting parameters like ESSID, encryption/authentication type, and (if used) WEP keys. Mobile device GUIs can be locked down to prevent user modification, software updates can be pushed when wireless bandwidth permits, and the location of mobile assets can be tracked.
Wireless intrusion detection systems (WIDS) like AirDefense Enterprise, AirMagnet Enterprise, AirTight SpectraGuard, and Network Chemistry RFprotect can detect out-of-policy wireless behavior, like ad hoc connections or authorized devices connecting to unauthorized ESSIDs. For the most part, WIDS only apply when the device is "on campus" -- that is, at your office, not on the road or at home. Still, wireless intrusion detection (or prevention) can help you find improperly-configured stations, disconnect them to stop the damage, and physically track them down for remediation. As in the wired world, we can expect to see integration of wireless network and host IDS products. For example, AirDefense Personal uses host-resident software to periodically scan a station's wireless connections and generate alerts. A user who has accidentally connected to an unknown ESSID or been redirected to a rogue AP is thus warned, although noticing the alert and taking action is left to the user. Such an agent could someday forward alerts back to a central WIDS, based on WIDS-defined policies. For example, CA's WSM leverages its mobile agents to detect rogues and other problems.
Getting started
Clearly, there are many ways to tackle this challenge. The good news is that most enterprises already have piece-parts of a solution to build upon, whether starting from enterprise desktop management or endpoint security infrastructure or both. The unique needs associated with provisioning and monitoring radios and mobile devices has driven demand for new technology-specific products, like mobile device managers and wireless intrusion detection systems.
As Wi-Fi matures and becomes "just another LAN to manage," these technology-specific products probably won't go away. But they will be required to dovetail with technology-independent enterprise network and systems management products. Ideally, uniform policies should be configured in one place, for the entire network, even if device-level interaction is carried out by wireless-specific components. We'll get there... someday.
In the meantime, take a good look at the products you're already using in both your wired and wireless networks to see how they might help your company regain control over Wi-Fi station configuration. Use the categories identified in this tip as a starting point. Get end-users out of the Wi-Fi configuration business -- your network will be safer, your users will be happier, and you may even cut your help-desk costs.
About the author: Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.
