Posted Date: 4/30/2009

Pitfalls In WLAN Protection

By  Ben Halpert
Congratulations! You've deployed a world class wireless local area network (WLAN) that enables your employees to be productive without having their laptops tethered to an Ethernet cable.

You've conducted a site survey to make sure you don't have any gaps of coverage. You've adjusted the transmission strength on your wireless access points to make sure you can adequately handle the required throughput and user density. You've secured the WLAN according to industry accepted guidelines, such as the National Institute of Standards and Technology's (NIST) "Special Publication (SP) 800-97 Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i" and "SP 800-120 Recommendation for EAP Methods Used in Wireless Network Access Authentication," currently in draft.

You're done, right? Not so fast.

How are you managing (or are you?) the computing devices that connect to the WLAN? Are the operating systems locked down to only allow essential processes and applications to run? Can your users install any software they want on their laptops, desktops, etc.? Are you managing both the wired and wireless interfaces to ensure that only one can function at a time?  And what happens when that computing asset, let's call it a laptop, leaves your "secure" WLAN environment, connects to an open wireless network (like the ones at airports or coffee shops) and then connects back to your "secure" WLAN? Is the laptop even the same one that left the week before? Would you know?

Below you will find a list of selected deployment aspects worth considering.

• Multi-factor authentication. Do you really think alphanumeric passwords cut it anymore? Did they really ever?
  
  
• Machine certificates. All the devices connected to your network are controlled by you? Really?
  
  
• Removal of administrative privileges. You will get pushback, but try and see how your business is really affected. I think you know where I am going with this. And for those who really do need admin privileges, there are other solutions.
  
  
• Prevention of bridging from wired to wireless network interfaces on devices. Avoid this at your own risk.
  
  
• Wireless intrusion detection. Without it, you may as well put an Ethernet jack in your parking lot.

• Port control on the wired network Your wireless network is merely an extension of your wired network.

When you address these six aspects in the next year, get back to me and I'll give you another set. And, if you can accomplish the six items in less than a year, tell your boss I said it's time to give you a bonus.

---

Ben Halpert CISSP, is an information security researcher and practitioner and writes monthly about security. Read his blog at benhalpert.com/blog Comments, questions and requests can be sent to him at editor@mobileenterprisemag.com; please include SECURITY in the subject line.