WLAN Security: What You Should Know and Where You Should Start
By Scott Pope, Senior Manager, Wireless Security Product Management, Cisco
Wireless LAN security is emerging as a hot topic in IT networking circles. Enterprises of all sizes are realizing that the airwaves within and surrounding their locations are a networking asset.
Taking advantage of the instant, anywhere access to information in WLANs can lead to business innovation, but like any other network asset, the airwaves also require a well-considered security strategy.
Sometimes poorly understood, the policy and process behind "securing the airwaves" often fall between the domains of security and WLAN teams within IT departments. Wireless security is somewhat different from security in WANs, LANs and data centers.
The good news is that IT professionals can formulate and implement a comprehensive security policy using functions that are built into today's enterprise-grade WLANs.
The Basic Tenet of WLAN Security: Walls Don't Help
Because it traverses the air, wireless data has unique security requirements. WLANs transmit data and extend network access outside buildings. While data encryption and strong user authentication can help secure traffic and access, they don't constitute a comprehensive wireless security strategy on their own. The airwaves redefine the typical network perimeter, and this is the primary consideration when formulating a WLAN security strategy.
Understanding Wireless-Specific Threats
The same security rules of access control, traffic inspection and intrusion prevention apply to WLAN traffic once it lands on the wired network. But there are WLAN-specific threats that must be considered.
First is the rogue, or unmanaged, access point. If a rogue is connected to your LAN, it extends backdoor access to your network outside the building. And if that rogue doesn't require user authentication, anyone within its range has access to, at minimum, the LAN port that the rogue is connected to. Such rogues must be detected and mitigated even if you don't have a WLAN installed in your company. Furthermore, a rogue can lure wireless users to connect to it for purposes of network profiling or stealing proprietary information.
Most other threats come from hackers using the airwaves to do their work. These threats fall into three categories:
Regulatory and Network Management Process Considerations
- First are wireless denial-of-service attacks that disrupt or disable WLANs. These attacks force clients off the network by abusing the 802.11 protocol or by generating radio frequency noise.
- Second are user authentication and data encryption cracking methods that compromise data privacy and user access control on the WLAN. While WLANs using Wi-Fi Protected Access 2 (WPA2) encryption and strong authentication aren't at risk, many networks still use insecure protocols like Wired Equivalent Privacy (WEP) to connect older WLAN clients.
- The last category is network reconnaissance, which analyzes unencrypted WLAN management frames to discern the best avenues for a WLAN attack.
Understanding the threat environment is the foundation for a wireless security strategy, but regulatory compliance frameworks are another key point of consideration. The Payment Card Industry Data Security Standard (PCI), which governs merchants that process credit cards, and the Federal Information Security Management Act of 2002 (FISMA), which sets standards for federal data security, are the most prescriptive.
They outline requirements for detecting rogue access points and safeguarding WLAN traffic, among other criteria. In addition, the spirit of the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SoX) regulations also flow through to WLAN security by requiring medical patient privacy and intellectual property protection, respectively.
The unstated goal of these regulations is to make WLAN security a natural extension of the overall WLAN network management workflow. Wireless security shouldn't be bolted on to the network management process but integrated into WLAN configuration, operations and event management. And, in the best designs, wireless security should use wired-side security for defense in depth.
Technologies for Implementing Wireless Security
The good news is that most of these considerations are addressed by security technologies built into today's enterprise-grade WLANs. Organizations just need to understand the security requirements of their environment, establish a wireless security policy, and then use the security capabilities integrated into their WLAN infrastructure. Optimally, enterprises will also use their wired-side network security infrastructure to build a layered defense.
Beyond the basics of strong Extensible Authentication Protocol user authentication and WPA2 encryption, most enterprise-grade WLAN gear provides at least rudimentary detection of rogue access points and clients. Better systems provide enhanced usability through customizable "event severity" auto-classification, mitigation and physical location of the rogue device. Better yet is a system that provides detection of airborne hacker attacks such as denial of service, identity spoofing, encryption and authentication cracking, unauthorized client activity, and reconnaissance.
While threat detection is key to a wireless security architecture, so is hardening the WLAN infrastructure and auditing against weak security configurations. Using preventive security features such as 802.1X or certificates for device authentication proactively guards against rogue access points. WLAN management frame encryption prevents spoofing and reconnaissance. Automated security vulnerability monitoring for weak or out-of-policy WLAN configurations can also prevent many attacks from being successful.
What to Do Now
The overarching message here is to integrate wireless-specific requirements into your overall network security policy. The key steps are to:
- Determine the security posture of your wireless clients. Is there WEP encryption or LEAP authentication? Any enabled client-to-client ad hoc wireless networking? If so, you must have a wireless intrusion prevention system in place to detect attacks against these vulnerabilities.
- Survey your surroundings. Are you in a crowded radio frequency space with lots of neighboring access points? Or are the airwaves largely clear? In either case, you need wireless rogue detection in place, but these access points will drive your rogue security policy.
- Consider regulatory compliance requirements. Are you subject to PCI, HIPAA, SoX or FISMA? These have implications for your wireless security policy, usually even if you don't have wireless deployed.
- Leverage your security infrastructure. Some WLAN gear provides secure access point provisioning and management frame security. Also firewalls, wired-side intrusion prevention systems, and network admission control create layers of security for your wireless environment. Take advantage of them.
Steps to "securing the airwaves" sometimes are not well understood, but by tending to a few basic considerations and leveraging the security features integrated into today's enterprise-grade WLANs, any enterprise can have a complete wireless security architecture.
Scott Pope is Senior Manager, Wireless Security Product Management with Cisco.