ITPRC NEWS - January, 2002 - http://www.itprc.com/
Wireless LAN “In”security
By Irwin Lazar
In last month’s ITPRC newsletter I wrote a bit about the promise of wireless LANs, and how that promise is hindered by issues relating to security. In this month’s column, I’ll talk about methods and technologies that network architects and managers can use to mitigate these risks and insure the security of their wireless LAN environments.
Before we get started it is first important to perform an adequate analysis of risk. Security measures deployed must be commensurate with the threat of unauthorized access to wireless networks or malicious capture of wireless LAN traffic.
Securing a wireless LAN can best be thought of as a multi-layer approach. At the lowest layer is securing access to the network through the wireless access point. The goal here is to prevent unauthorized users from gaining access to corporate network resources via the wireless LAN.
At the second layer is security of wireless LAN transmissions. Here the goal is to prevent prying eyes from capturing and decoding packets transversing the wireless LAN.
The final layer of wireless LAN security is the physical security of the corporate data network against deployments of unauthorized wireless LAN access points, either by unknowing internal users or malicious external hackers.
Wireless LAN Architecture
Network managers must understand that no matter what one does to secure a wireless network, short of installing lead walls nothing will keep wireless signals from propagating outside facilities, or prevent unauthorized signals from entering. Wireless LAN security starts with an architecture that assumes that attacks will occur, and those attacks will be successful. The best way to approach wireless LAN architecture is therefore to isolate the wireless LAN from the rest of the network by placing all access points outside of the corporate firewall. That unauthorized users of the wireless network have the same access to corporate information resources as individuals attempting to access the corporate network via the Internet.
Securing the Access
As many recent trade press stories of “war driving” highlight (see: http://www.securityfocus.com/news/192), with a freeware sniffer it is generally easy to drive around office parks and major metropolitan areas and not only detect, but gain access to unsecured wireless LANs. In many cases, network managers have not even deployed the most basic security mechanisms, such as setting a unique, hard to guess network name or even changing the default configuration password of the access point.
Securing the access layer therefore is the most important “first step” in securing the overall wireless LAN. First off, network managers must set a unique SSID on all base stations. Next, network managers should make use of MAC address filters, which only allow access point connections by authorized MAC addresses. Then, organizations should deploy wireless LAN authentication protocols such as 802.1x, or proprietary solutions such as Cisco LEAP. These protocols manage client authentication to require users to be authenticated via systems such as radius servers and may also require periodic reauthentication. In addition to 802.1x and LEAP, several other proprietary products and methods exist. As part of your hardware evaluation, pay special care to the capabilities offered by your vendor.
Regardless of the chosen solution, network managers should also deploy management systems and intrusion detection systems that allow them to quickly discover and respond to attacks on the wireless network.
Securing the Transmissions
We’ve all heard the stories of how easy it is to crack the “Wired Equivalent Privacy Standard (WEP). A recent study by the University of California at Berkley
noted the inherent weakness in the WEP encryption algorithms. Thus, enterprises shouldn’t rely on WEP to protect sensitive data, though WEP can be used by enterprises seeking to simply make their networks more difficult for the average hacker to sniff.
Given the problems with WEP, there are a couple of different alternatives that network managers should evaluate. The first method is treating wireless LAN users the same as those accessing the corporate data network via the Internet. This implies the use of an encrypted VPN using a client-server approach. For those without a client-based VPN, many vendors offers proprietary extensions to WEP to allow for dynamic key generation and also provide other enhancements to WEP to increase overall wireless LAN security. Again, check with your vendors to determine their abilities to provide “better than WEP” security.
Securing the Physical Network
The final area of wireless LAN security is preventing unauthorized deployment of wireless LAN access points on the network. In most cases, deployments aren’t malicious - rather an unsuspecting user deploys an access point for their own use. Preventing these deployments is possible through the use of 802.1x on LAN switches, since 802.1x requires user authentication to gain access to the data network. In addition, network managers can monitor SNMP traffic for illicit access points, and can even deploy 802.11b sniffers to detect unauthorized access point transmissions.
As noted earlier, the level of security of wireless LANs should be commensurate with the resources that you are trying to protect, as well as with other security mechanisms in use. It makes little sense to deploy complex authentication and encryption protocols if there is no risk to the organization from intercepted transmissions, or if all network access is already via encrypted or secure means such as SSL or client-server VPN.
However, most organizations will want to maximize the security of their wireless LANs, especially in light of numerous articles calling the security of wireless LANs into question. Fortunately, a number of tools, protocols, and architectural techniques are available to secure wireless LANs against most current threats. Analyzing, deploying, and managing these tools will require careful evaluation of vendor capabilities and trends.
For More Info:
The ITPRC recently created a section on its “Wireless” page specifically for links to information on Wireless LAN security. Visit it at www.itprc.com/wireless.htm?newsletter
Irwin Lazar is a Senior Consultant for Burton
Group where he focuses on strategic planning and network
architecture for Fortune 500 enterprises as well as large service
providers. He is the conference director for
MPLScon and runs The MPLS Resource Center
Information Technology Professional's Resource Center.
Please send any comments
about this article to firstname.lastname@example.org
All Content Of This
Site Is Copyright 2000-2004 - ITPRC.COM