|
Wireless Local Area Networks (WLANs) offer great potential to businesses, providing users with increased efficiency and productivity. The goal of WLANs is to enable users to connect to a network without having to be physically attached to it, speeding up mobility and workstation deployment. Unfortunately, because WLANs were designed with access in mind, not security, the implementation of WLANs can open a network up to risks. In the case of Small- and Medium-sized Businesses (SMBs) looking to leverage the benefits of WLAN deployment, there are many issues to consider in weighing the trade-off between access and security.
WLAN Benefits
To be sure, despite intrinsic risks, it behoves SMBs to seriously consider adopting WLAN technology especially when there are proven methods of mitigating the risks. The removal of wires from the communications and network access equation can provide very powerful business benefits.
Increased employee productivity is one example. Wireless LAN mobility allows employees to carry their net-connected laptops to meetings with peers and customers, resulting in decisions being made quicker and based on more accurate data. With the increasing number of PDAs and mobile phones incorporating WiFi technology, demand for a wireless infrastructure will continue to increase. Secure wireless LAN access can also generate significant operational cost savings by greatly reducing or eliminating the IT administrative burden associated with employee additions, changes, and relocations. An SMB may even frequently relocate the entire office as the business evolves. Having to rewire and redeploy traditional cabled networking infrastructure can become an expensive financial and administrative burden that saps productivity and effectiveness from a fledgling business.
Some employees feel that wireless is so valuable they may take matters into their own hands and purchase very inexpensive wireless access points and install them in their offices themselves. These rogue access points can severely reduce an organization's information security posture as well as create opportunity for network configuration problems which cause broadcast storms or other errors on the wired infrastructure. A much better solution is to offer company-supported wireless access which is secure and well-managed. The prices of WiFi adapters have dropped in recent years to the point that most new laptops are equipped with WiFi at time of manufacture. Giving an employee half of the wireless puzzle is a recipe for disaster.
Two Keys to Success
Basically, the two primary areas to pay attention to in a WLAN deployment are data encryption, and access authentication.
While an SMB may intuitively grasp the need to secure data residing on hard disks or being transmitted over airwaves, there may be less awareness regarding authentication. It has become a pastime for hackers to roam cities, war-driving, or looking for wireless access points that are vulnerable, either as a means of accessing a network for malicious activity or sadly just for the thrill. Authenticating users is just as important as protecting the privacy of the wirelessly delivered data.
The two most common categories of attacks against WLAN infrastructure are: Session Hijacking, and Man-in-the-Middle attacks. Session hijacking usurps control of a wireless connection from an authorized user. An attacker then gains access to the resources the legitimate user can access. In turn, man-in-the-middle attacks intercept the wireless link and "eavesdrop" on the communications, allowing attackers to obtain sensitive information in transit, including confidential data, passwords, and other such information. Secure WLAN solutions must address these two common threats.
While there are many Wi-Fi capable routers and access points on the market, many of these do not have sufficient built-in security or administration features for an enterprise deployment. Entry-level routers often are only suitable for a home or SOHO setup, and they may lack sufficient security for even these types of usage. Where such features are lacking in the device, it is possible to compensate with additional third-party solutions, but ideally an SMB should select an easy-to-deploy and easy-to-manage solution that provides all the benefits of WLAN technology with strong security.
Wireless Data Privacy
When shopping for a suitable solution, the router’s encryption technology is the most basic security feature an SMB should examine. Data encryption is used to protect messages from unauthorized viewing in case they are intercepted in the air. Wi-Fi routers often support the following wireless confidentiality mechanisms:
- WEP
- WPA (AES or TKIP)
- IPSec (3DES or AES)
Older authentication protocols (especially key exchange methods) are relatively more vulnerable to attack compared to newer methods. Routers may include these older encryption methods for compatibility with previously installed wireless solutions. Depending on specific needs, stages of implementation, and deployment scenarios, administrators may choose between minimal security of WEP-PSK, or maximize protection using a variant of WPA-TKIP or WPA-AES with IEEE 802.1X and both client side and server side certificates, where feasible. By supporting older security mechanisms devices allow older clients to be upgraded to these new protocols via a flexible migration.
Premises Insecurity
Securing a wireless network poses different challenges that are harder to overcome than th-GB">Security Zoning
Someose faced in a wired environment. This is due to the fact that physical access cannot be controlled as it can be in a classical wired network. For example, access to the wiring closet and switching infrastructure can be closely watched and restrictions easily achieved. To the contrary, it is virtually impossible to control physical access to a wireless network because data flows over public airwaves. Anyone with a wireless NIC and makeshift antenna can gain access to your network from hundreds of feet away. To protect wireless networks, organizations need layers of security to restrict access and keep information confidential. The first step to implementing a secure WLAN should be to isolate it from the rest of the network. By separating the WLAN, the effectiveness of access control is improved because wireless users are isolated from the rest of the network. In larger deployments with multiple coverage areas, the large WLAN can be broken down into smaller segments to achieve further isolation. Segmenting the network in this way will help contain broadcast traffic and excessive bandwidth consumption. In addition, it makes it easier to contain Denial of Service (DoS) attacks.
Premises Insecurity
Securing a wireless network poses different challenges that are harder to overcome than those faced in a wired environment. This is due to the fact that physical access cannot be controlled as it can be in a classical wired network. For example, access to the wiring closet and switching infrastructure can be closely watched and restrictions easily achieved. To the contrary, it is virtually impossible to control physical access to a wireless network because data flows over public airwaves. Anyone with a wireless NIC and makeshift antenna can gain access to your network from hundreds of feet away. To protect wireless networks, organizations need layers of security to restrict access and keep information confidential. The first step to implementing a secure WLAN should be to isolate it from the rest of the network. By separating the WLAN, the effectiveness of access control is improved because wireless users are isolated from the rest of the network. In larger deployments with multiple coverage areas, the large WLAN can be broken down into smaller segments to achieve further isolation. Segmenting the network in this way will help contain broadcast traffic and excessive bandwidth consumption. In addition, it makes it easier to contain Denial of Service (DoS) attacks.
Security Zoning
Some devices provide a zone based architecture that allows the physical interfaces, including the wireless access point, to be used in various configurations to build a security policy that fits the needs of any small office. Security zones allow the network administrator to separate users by physical or logical port. When traffic is required to cross a zone boundary, a security policy is enforced. Traffic within a zone may also have a security policy applied. Each zone-to-zone boundary may have a unique policy, meaning that a single device can support numerous policies.
(Not all devices support zoning. It is possible to simulate zoning by deploying four or more individual wireless routers, but such a setup would be more difficult to manage and still not be as secure as a wireless device with zoning capability.)
Each of the SSIDs available in a device is associated with a zone which correlates to a level of trust. SSIDs can be assigned different security levels by selecting mapping them to the various fixed port modes available in the device. For example, one wireless zone may require no authentication and would be associated with the "Wireless1" zone. While a second wireless zone could require the strong authentication of EAP-TTLS over 802.1X, and would be associated with the "Wireless2 or the trust zone". This same concept can be applied to the data privacy method used on a per wireless zone basis too. By segmenting wireless users in these zones, a security policy may be built for wirelessly attached users attempting to access resources within the office, while another policy can be used for users attempting to access resources on the Internet. By providing multiple SSIDs, each with varying levels of trust associated with them, complex security policies can be created which enable untrusted wireless users a restricted level of access to resources, while authenticated (thus more trusted) users may access more resources.
By assigning different trust levels to each zone and associating wireless users to various zones, multiple levels of access or permission can be easily achieved.
The trusted zone contains the primary business computers. One of the SSIDs maps to this trusted zone which is also used by local employees with mobile devices such as PDAs. For a wireless user to gain access to this zone, they should use WPA with IEEE 802.1X authentication. In other words, they must authenticate securely, have a user ID and password on the system and use strong encryption for the data they send over the air. A second zone, DMZ, might contain a publicly accessible printer, server and desktop PC. A flexible security policy can be designed such that the DMZ is accessible from only select wireless SSIDs. This prevents attacks on the DMZ from the "open" wireless interface. A third zone (Wireless1) might be used by visiting employees and vendors to access limited resources at the local facility, such as inventory data. This zone requires users to utilize WPA-PSK and affords them access to the DMZ and the untrusted or internet zone. Finally, a fourth zone (Wireless2) can be used for visitors or customers that have no reason to access any internal resources. These users might be using this wireless zone as a public internet hotspot for example. From this zone, which requires no authentication, users may only access the untrusted zone. For added protection the SSIDs should not be broadcast for the trust, DMZ and Wireless1 zones; however, for Wireless2, the SSID can be announced so that anyone may easily gain access to the Internet. Additionally, a second instance of a DHCP server could be configured for the Wireless1 zone, ensuring that Wireless1 and Wireless2 zones do not share any IP address similarities, further thwarting attack. The availability of multiple zones and SSIDs, and specific security policies for inter-zone communication, provide numerous highly flexible security options for the security administrator.
The radio hardware
SMBs considering wireless devices should look into the design of the radio hardware. Some devices (with multiple security zones) have radios that each have their own processors, so wireless functionality, such as beacon control and AES encryption are accelerated, and do not impact the operation of the wired portion of the network in any way. The radio characteristics may also differ in three ways:
- Standard antenna providing good coverage with smooth lobes
- External omni-directional antenna providing coverage at longer distances
- External Directional antenna which can be used to limit signal from straying from the premises and ensure excellent signal coverage in a limited area
Ideally, the device should also include simple site survey information in a web-based user interface to ensure proper use of the RF spectrum.
Authentication
Once segmented, users should be authenticated to achieve a more secure WLAN. The basic authentication standard that most wireless Access-Points (AP’s) use is 802.1X, which was originally designed for link-level (Layer 2) authentication. This authentication has since been adopted by the WLAN industry as the standard for authentication of wireless uses. Because 802.1X was designed for link-level authentication, it doesn’t understand how to authenticate traffic at the IP layer, meaning it doesn’t take the IP Address into consideration when making decisions on what type of traffic to allow. It was designed to let users onto the network, not control where in the network they are allowed to go. This results in a very inflexible, black and white decision. Either a user is permitted access to the entire network, or denied access altogether, making it impossible to provide the detailed access control that is needed to limit access to network resources. With 802.1X, one cannot specify which network resources specific users or groups of users are permitted to access, which means that once a user is on the network, they can access all resources. Additionally, 802.1X, when used with WLAN 802.11a/b, which are the wireless Ethernet standards, is very easy to circumvent using rudimentary mechanisms, such as the session-hijacking and man-in-the-middle attacks.
Enterprises deploying WLANs should implement a granular access control system, such as those provided by firewalls, to achieve the level of access control and authorization that is needed to protect critical resources. With a firewall, access can be limited to certain network resources or subnets, based on username or user-group membership. This means that a user will only be granted access to the appropriate resources, rather than the all or nothing approach of 802.1X. This authentication system should be supplemented by the encryption of passwords to protect against unauthorized users stealing the password and gaining access to the network. Mature firewall technologies will also provide protection against the aforementioned session hijacking and man-in-the-middle attacks. Data Confidentiality Encryption should also be used to maintain the privacy of the information and reduce the risk that the content can be viewed and understood by anyone. Wired Equivalent Privacy (WEP) is the encryption standard used by most AP’s to encrypt traffic across the WLAN. While WEP does allow for 128-bit keys, which are traditionally viewed as secure, it is vulnerable because of the way these keys are generated. Instead of random, non-sequential numbers, most Aps use sequential, predictable numbers when generating WEP keys, making the keys easy to guess and circumvent. Access-Point vendors have attempted to resolve WEPs weaknesses, either by refreshing WEP keys periodically, which brings questionable results because the keys themselves are still insecure, or using the 802.1X protocol to distribute the keys, which requires considerable configuration efforts by an administrator and additional products. The later solution requires an 802.1X compliant RADIUS server to generate and transmit WEP keys for users and corresponding client software to be deployed to all wireless users, resulting in more software to deploy, configure and manage on an ongoing basis.
Virtually Private
The intrinsic weakness of WLAN encryption can be mitigated with the strong protection offered via virtual private networking (VPN) technology originally developed for wired infrastructure. VPN solutions take the form of either site-wide IPSec techniques, or per-session SSL-based VPN systems. While IPSec VPN solutions are easier to deploy, the ideal solution is with SSL VPN technology as it gives the best isolation between users connecting to the network. The ideal wireless router should incorporate some form of VPN technology in an integrated manner.
Conclusion
While WLANs empower SMBs with significant business advantages, these benefits must be tempered with the use of security technologies to ensure that only the appropriate people can gain access to the organization’s valuable resources. In deploying WLANs, it is important to consider access, authorization, confidentiality, data integrity and attack containment. When SMBs are able to leverage WLANs to bolster their success, the chances are higher these SMBs can expand into larger organizations with the resources to more fully develop customized WLAN security solutions that help pave the way for continued success.
Nagendra Venkaswamy
Writer is Managing Director (India and SAARC) Juniper Networks
|
