Get started Bring yourself up to speed with our introductory content.

Best practices for securing your wireless LAN

Perhaps the biggest network security concern for many enterprises is securing a wireless local area network (WLAN). This three-part expert lesson provides best practices for securing a WLAN in the enterprise. Lesson 1 focuses on methods of systematically monitoring your WLAN for intruders and ways to proactively reduce network discovery. Lessons 2 and 3 focus on how to protect users and the network, respectively.

Perhaps the biggest network security concern for many enterprises is securing a wireless local area network (WLAN). This three-part expert lesson provides best practices for securing a WLAN in the enterprise. Lesson 1 focuses on methods of systematically monitoring your WLAN for intruders and ways to proactively reduce network discovery. Lessons 2 and 3 focus on how to protect users and the network, respectively.

Blocking intruders

Best practice definition
For wireless security, "best practice" is a relative term. Best practice for the U.S. Federal Treasury may be different from best practice for a fast-food retailer. This is because each enterprise may assess wireless risk differently. This E-Guide defines best practice as a methodology that is commonly used, cost effective, and applicable to virtually all enterprises. The term "practice" refers to technologies and procedures. For example, "use Wi-Fi Protected Access 2 (WPA2) security" is a technology best practice, whereas "train employees not to connect to ad hoc WLANs" is a procedural best practice.

Network discovery 
Network intruders use a variety of methods to discover the existence of WLANs and their corresponding service set identifiers (SSIDs). Intruders can use shareware, such as NetStumbler, combined with a high-gain antenna to scan for the existence of WLANs. Unfortunately, it is nearly impossible to hide the existence of a WLAN or the SSID because management and control frames are not encrypted. (Note that the IEEE is working on a proposal [802.11w] to strengthen management frame security.)

Some security professionals recommend disabling the SSID broadcast in beacon frames and disabling the probe response frame for the broadcast SSID. We do not recommend this, however. The first action increases WLAN traffic because it forces all stations on the network to scan for a valid AP by periodically transmitting probe requests. The second action forces a network administrator to manually configure the SSID on every station. Neither action actually reduces the likelihood that an intruder will discover the WLAN.
We recommend the following best practices:

  • Install APs out of sight. This conceals the existence of a WLAN from casual inspection and will also make the location of the AP more difficult to determine.
  • Reduce radio power to minimize radio frequency (RF) leakage. Reducing radio power will reduce coverage to only those areas that should receive a wireless signal.

Some high-risk enterprises may want to use directional antennas in order to have greater control over signal propagation compared with omni-directional antennas. Aim directional antennas toward the interior of the building in order to minimize RF signal leakage outside the building.

Wireless LAN vulnerabilities" type="audio/mp3" controls="controls">

Wireless LAN vulnerabilitiesDownload this podcast

Network intrusion 
Network intrusion causes unauthorized network traffic that may be targeted to exploit vulnerabilities on systems or be associated with malicious code (e.g., worms and Trojan horse programs), or it may result in traffic that violates the organization's acceptable-use policy. The most common type of wireless network intrusion is that of a rogue AP. Another intrusion attack is an ad hoc connection whereby a station can associate with another station independent of an AP. This type of wireless connection can lead to a man-in-the-middle attack.

A wireless intrusion detection system (WIDS) can monitor for rogue APs and unauthorized devices, maintain policy adherence, and look for anomalous or suspicious behavior. An overlay WIDS solution relies upon dedicated, distributed hardware sensors that look like APs. The sensors continuously monitor multiband channels and report anomalies back to a centralized management console. Alternatively, enterprises can use an integrated WIDS solution (from WLAN system vendors) that integrates a sensor function into an AP. Many of these integrated solutions do not provide continuous monitoring, however, and thus may not catch some intrusion attempts.

We recommend the following best practices:

  • Use a WIDS solution to monitor for rogue APs in both the 2.4 GHz and 5 GHz spectrum bands.
  • Periodically monitor for rogue APs in both the 2.4 GHz and 5 GHz spectrum bands by using a handheld monitor in areas where there is little or no wireless coverage.
  • Use auditing techniques on the wired network to discover intruders on the wireless network. For example, accept Dynamic Host Control Protocol (DHCP) requests only from authorized network devices. This technique will block rogue APs from receiving an IP address and alert the network manager to potential intruders.
  • Train employees not to connect to any ad hoc WLANs.

Protecting users

This lesson describes best practices for maintaining strong user authentication and data privacy on a WLAN.

Establishing a user's identity is the first step to controlling access to network resources. Some enterprises authenticate users by validating their media access control (MAC) address. However, it is easy for an intruder to copy MAC addresses from valid frames and then change the MAC address on the intruder laptop to match a valid MAC address. Alternatively, identity-based authentication often leverages the IEEE 802.1X standard, Extensible Authentication Protocol (EAP), and Remote Authentication Dial-In User Service (RADIUS).

Alternatively, some enterprises may deploy a VPN over the WLAN using technology such as IPsec or SSL. In this case, the enterprise uses the VPN authentication mechanism, such as using extended authentication (XAUTH) with the Challenge-Handshake Authentication Protocol (CHAP) to authenticate users.
802.1X relies on EAP for user authentication. EAP is an authentication framework that defines a way to encapsulate different authentication methods. We recommend the EAP types listed in Table 1 because they are widely available and exhibit low to moderate risk.

EAP types
Table 1: Recommended EAP Types

The acronyms used in Table 1 are defined below:

  • EAP-TLS: Transport Layer Security
  • EAP-TTLS MS-CHAP v2: Tunneled TLS with Microsoft Challenge-Handshake Authentication Protocol version 2
  • PEAP MS-CHAP v2: Protected EAP with Microsoft Challenge-Handshake Authentication Protocol version 2
  • EAP-FAST: Flexible Authentication via Secure Tunneling
  • PAC: Protected Access Credentials

We recommend the following best practices:

  • If 802.1X is deployed for the wired network, use 802.1X with EAP to provide mutual authentication of users and authentication servers. Enterprises should use one of the following EAP types: TLS, TTLS, PEAP or FAST. Note that EAP-TLS requires certificates on both the supplicant and the authentication server.
  • If 802.1X is not deployed for the wired network, use IPsec or SSL (if supported by enterprise applications) to provide mutual authentication of users and authentication servers.
  • Authenticate guests through a captive portal webpage and monitor usage.

Data confidentiality and integrity
Enterprises must strive to prevent intentional, unintentional, unauthorized, or inappropriate disclosure of information. As mentioned in Lesson 1, intruders can eavesdrop using shareware (e.g., Aircrack), and commercial packet capture tools (e.g., Laptop Analyzer from AirMagnet), along with high-gain antennas to discover a WEP key or Rivest Cipher 4 (RC4) keystream (often referred to as a "shared key" attack). In addition, the cyclic redundancy check (CRC) used with WEP is vulnerable because it is possible for an intruder to modify a frame without the CRC detecting the modification.

WEP was initially replaced by the interim WPA security certification and then by the WPA2 security certification (based on 802.11i standard). WPA2 provides strong encryption (with the Advanced Encryption Standard [AES]), dynamic key exchange, and strong authentication (with 802.1X).

We recommend the following best practices:

  • If 802.1X is already deployed for wired LAN authentication, use WPA2 to ensure wireless data confidentiality and integrity. If WPA2 is not available (e.g., due to legacy equipment), use WPA. 802.1X is recommended with WPA/WPA2 because it provides a mechanism for automatic key distribution in addition to providing support for user authentication.
  • If 802.1X is not already deployed for wired LAN authentication, use IPsec or SSL (if supported by enterprise applications) to ensure wireless data confidentiality and integrity. An acceptable alternative to using 802.1X, IPsec or SSL -- at small sites only -- is to use WPA or WPA2 with pre-shared keys (PSKs).

Note that PSKs are vulnerable to offline dictionary attacks and can be compromised by employees who share the PSK, either accidentally or deliberately, with non-employees. In addition, PSKs are very difficult to administer on large networks because when the PSK is changed (e.g., when an employee leaves the company), every client on the network must be configured with the new PSK. Therefore, PSKs should be used with care.

  • Use of WEP is not recommended. If WEP is used, however, or no WLAN encryption is used, deploy the WLAN outside of the firewall. In effect, this treats the WLAN as an untrustworthy network.
  • Segregate visitor traffic over a shared WLAN/LAN using a separate SSID and a separate wired virtual LAN (VLAN).
  • Segregate WEP traffic from WPA/WPA2 traffic using a separate SSID and a separate wired VLAN.

Protecting the network

This lesson describes methods to protect your network from attack and provides denial-of-service best practices.

Denial of service
Any event that prevents authorized users from performing appropriate functions may be considered a denial-of-service (DoS) attack. DoS attacks can occur within any component of the information technology (IT) infrastructure or even outside of IT. User Datagram Protocol (UDP) floods (directed at the enterprise Internet connection) and RF jamming (directed at the enterprise WLAN) are types of DoS attacks. In the context of this lesson, a DoS attack is one that prevents operation of the WLAN (rather than a DoS attack aimed at upper layers).

WLAN DoS attacks are easy to launch. In fact, the simple act of reheating a meal in the microwave oven can inadvertently prevent the WLAN from operating. The increased range of 802.11n (compared with 802.11g/a) may also cause unintentional interference from neighboring WLANs. Deployment of 802.11n in the 5 GHz band can help to reduce the likelihood of unintentional DoS interference because far fewer products on the market operate in this band. However, intruders can launch DoS attacks from outside the facility by using a directional antenna to aim RF energy at the target WLAN. Unlike wired LAN broadcast storms that propagate throughout the LAN, wireless DoS attacks are confined to the area that is directly under attack.
Numerous WLAN DoS vulnerabilities -- such as those listed below -- threaten the physical layer (PHY), the association process, and the authentication process:

  • 802.11 networks are vulnerable to the deliberate transmission of RF signals that disrupt packet transmission and network availability.
  • 802.11 networks are vulnerable to DoS attacks that involve transmitting large numbers of Association Request frames to an AP using multiple forged MAC addresses.
  • 802.11 networks are vulnerable to EAPoL Start DoS attacks that flood an AP with EAPoL Start messages.

Although there are many ways to launch a DoS attack, many enterprises assess the potential for a DoS attack as a low risk and simply ignore the potential for DoS attacks. We recommend that you include a wireless DoS scenario in your enterprise business continuity planning process. In addition, some enterprises may wish to deploy network-wide monitoring for DoS detection using RF sensors distributed throughout the enterprise.

Network protection
Network management systems and wireless infrastructure are also vulnerable to attack. Network management vulnerabilities include threats such as unauthorized network management control of APs, controllers, switches and gateways.
We recommend the following best practices:

  • Modify the default SSID to an enterprise-specific name.
  • Use a controller-based WLAN system instead of autonomous APs. A WLAN system provides a management focal point and reduces the number of attack points in the network.
  • Improve access to WLAN hardware using strong passwords. Change passwords periodically.
  • Disable wireless-side management access to wireless APs and controllers.
  • Frequently monitor vendor software updates and promptly apply patches that improve network security.

Some enterprises may also want to implement the following practices:

  • Use encrypted network management security protocols such as Simple Network Management Protocol (SNMP) v3, Secure Shell (SSH), and SSL. Disable SNMP v1 and v2 in APs and controllers.
  • Restrict wired-side AP/controller access to certain IP addresses, subnets or VLANs.

Further information
This expert lesson makes reference to the Wireless Vulnerabilities and Exploits (WVE) website. WVE provides a database of known wireless vulnerabilities and is similar to other systems that catalogue vulnerabilities, such as Common Vulnerabilities and Exposures (CVE) and Open Source Vulnerability Database (OSVDB). Anyone can use and contribute to the WVE database. The WVE editorial board approves all contributions.

About the author: Paul DeBeasiPaul DeBeasi is a senior analyst at the Burton Group and has more than 25 years of experience in the networking industry. Before joining the Burton Group, Paul founded ClearChoice Advisors, a wireless consulting firm, and was the VP of product marketing at Legra Systems, a wireless-switch innovator. Prior to Legra, he was the VP of product marketing at startups IPHighway and ONEX Communications and was also the frame relay product line manager for Cascade Communications. Paul began his career developing networking systems as a senior engineer at Bell Laboratories, Prime Computer and Chipcom Corp. He holds a BS degree in systems engineering from Boston University and a master of engineering degree in electrical engineering from Cornell University. Paul is a well-known conference speaker and has spoken at many events, among them Interop, Next Generation Networks, Wi-Fi Planet, and Internet Telephony.

This was last published in November 2008

Dig Deeper on Wireless LAN (WLAN)