Table of contents
Wireless access points
Wireless network deployment and management
-- Wireless security tools and configuration
Wireless security monitoring and policies
Many organizations read this as security for a snapshot in time, but there needs to be ongoing management of the WLAN environment to ensure that it can withstand and prevent intrusion as well as detect intrusion attempts. There are multiple facets of monitoring a WLAN environment and maintaining security compliance.
802.1X can be used to funnel wireless traffic onto Virtual LANs that reflect user or group permissions. It can be helpful to know how to establish this critical link between authentication and authorization where packets are tagged as they enter a LAN so that upstream devices (e.g., gateways, routers, firewalls) can apply security and QoS filters. APs may tag wireless traffic so that it can remain segregated from wired traffic as it moves through the network, from AP to edge switch to core switch to Internet router.
In a recently published article, security vendor Network Chemistry analyzed events collected from RFprotect Endpoint users. They found that:
- Users do connect to wireless and wired networks simultaneously.
(37% of the endpoints analyzed had network bridging enabled.)
- Users with VPNs do not always use them to protect traffic.
(68% had experienced violations of VPN policy.)
- Ad hoc networks are used frequently.
(63% had ad hoc enabled or tried to connect to an ad hoc peer.)
- Wireless connections are often made to unknown networks.
(87% of the endpoints had connected to an unknown AP.)
Companies can discourage these risky behaviors by educating the workforce about Wi-Fi threats and enforcing Wi-Fi security policies that prevent unsafe connections.
Simultaneous connection to internal and external networks can present a security risk -- this has long been a known VPN risk and is why many companies do not use what are called "split tunnels." When users connected to a corporate Ethernet initiate a Wi-Fi association to a neighbor's AP or a metro-area network, they expose the company network to outside threats. But preventing this from happening is not as easy as you might think.
Wireless security tools and configuration
WLAN security has become increasingly critical for small and medium-sized businesses (SMBs) as much as large enterprises. Wireless LANs are especially vulnerable to break-ins because, unlike wired LANs, they are not contained within a physical structure. Radio waves carry traffic beyond corporate walls, enabling intruders to gain access to the network without entering a corporate building.
Furthermore, WLAN traffic does not flow through a central node that can be used to monitor and control who gets access to what. SMBs may need to implement WLAN security in order to comply with government regulations such as the Health Insurance Portability and Accountability Act. Understanding what is available can help SMBs buy WLAN security tools designed for their operations.
One of 802.11 Wired Equivalent Privacy's (WEP) many shortcomings is that it relies on manually configured static keys, often entered in hexadecimal. Many users had no idea how to configure WEP, and vendors did little to hide WEP details under user-friendly GUIs. WLAN administrators found manual WEP key configuration tedious, error-prone and ultimately doomed to failure because keys had to be updated on hundreds of devices when just one is lost or stolen. Wi-Fi Protected Access (WPA) has improved this situation to some degree. There are ways to simplify WLAN security configuration.
WPA version 2 (WPA2) is the Wi-Fi Alliance certification program for products that implement IEEE 802.11i security enhancements. WPA2-certified products have been available since September 2004. Today, most enterprise and many new residential Wi-Fi products support WPA2, and as of March 2006, WPA2 is now mandatory. And the time has come to migrate to WPA2.
WPA2 is available in two forms: WPA2-Personal for home and small office use, and WPA2-Enterprise for business use. Creating a large-scale, geographically diverse WPA2 compliant network can be a big challenge and requires some forethought before beginning. Understanding the various elements involved first will ensure that the development process goes smoothly.
To determine whether your devices speak WPA2, consult the Wi-Fi Alliance certified products list. If your gear is old and isn't WPA (version 1) certified, retire it -- if not immediately, then soon. To upgrade other devices to WPA2, check your vendor's support site for new AP firmware or card drivers. You'll need hardware that's no more than two years old; WPA2 requires chipsets that implement the Advanced Encryption Standard (AES). If you're buying new APs, make sure they are WPA2-certified.
This was first published in September 2007