By Lisa Phifer
Wireless LANs (WLANs) are by nature hard to contain. Radio signals travel beyond customer premises in ways that are difficult to predict, and unwanted connections can easily escape notice. For these reasons, no WLAN should be installed without security. And yet, most wireless products arrive with security disabled. Value-added resellers (VARs) and integrators can add considerable value by activating built-in security and integrating third-party security to fill gaps. In this checklist, we describe 10 steps to accomplish these goals for wireless LAN security.
Document a wireless security policy
Customers must define their needs so that you can implement wireless LANs that meet them. This is just as true for security as it is for coverage and capacity. You can play a vital role in determining security needs by asking the right questions and documenting your customer's answers. If your customer has defined a security policy, you're way ahead of the game. If not, work with your customer to complete a wirelesssecurity policy template that can guide your WLAN implementation.
Break the wireless network into SSIDs
Once you've documented a wireless security policy, put that policy to work by breaking your customer's wireless LAN into named networks that reflect differing security needs. For example, many customers want to let guests access the Internet without jeopardizing employees. These groups can share the same physical WLAN but should be compartmentalized into separate networks, named by Service Set Identifiers (SSIDs). Avoid factory default SSIDs or values like "Accounting" that could lead hackers to target your customer's WLAN. Don't disable SSID broadcasting -- that option can't stop hackers and just makes life harder for legitimate users.
Implement access controls
Guest networks may be open, but access to all other WLANs should be constrained using 802.1X Port Access Control, pre-shared keys (PSKs), WEP keys, MAC Access Control Lists (ACLs), and/or captive portals. Use captive portals where customers have no control over client devices (e.g., hotspots). Use 802.1X in business WLANs where individual user authentication is required. Use PSKs in smaller WLANs where everyone deserves the same level of trust and 802.1X is impractical. Avoid WEP or MAC ACLs unless devices are so limited that no other options exist (e.g., barcode scanners). Add value by explaining these wireless access control options, where and when they are appropriate, their strengths and weaknesses and their administrative impacts.
Deploy authentication credentials
Typically, clients must authenticate before they can send traffic, but deploying logins and keys can be challenging. To overcome this, help your customer establish a process for credential management. For example, help a small business choose a strong PSK and distribute it using Windows Wireless Network Setup. Or help an enterprise choose an 802.1X authentication method that integrates with Active Directory to reuse domain logins. Even MAC ACLs require a client inventory that you could help create.
Encrypt wireless data
Anything sent over the air is vulnerable unless encryption is used to scramble data at the transmitter and unscramble it at the receiver. Whenever possible, turn on Wi-Fi Protected Access version 2 (WPA2), which uses the Advanced Encryption Standard. When dealing with old devices, it may be necessary to fall back to TKIP (the older WPA cipher) or even WEP (the broken 802.11 cipher). Some customers may not want wireless encryption -- typically, this applies to guest WLANs and business networks where IPsec or SSL are used. Add value by explaining encryption options, including advanced features like master key caching and key refresh.
Harden WLAN infrastructure
Like any device exposed to an untrusted network, wireless access points and controllers must be hardened against attack. Start with the hardening techniques commonly used on routers and firewalls, like eliminating default logins and unused ports and applying security patches. Search the Wireless Vulnerabilities and Exploits database for bugs in products used by your customer's WLAN, and use vulnerability assessment tools to scan for remaining weaknesses.
Defend wireless clients
Wireless clients also need to be defended against attacks and the consequences of mistakes like wireless LAN file sharing and accidental connections. Help your customers apply wired/Internet endpoint security and management techniques to wireless clients -- for example, using Windows Group Policy Objects to configure WLAN settings. Where gaps exist, suggest third-party tools that could benefit both wireless and wired clients. Potential up-sell opportunities include endpoint security products, network access control solutions, connection managers and mobile VPN clients.
Monitor wireless traffic
Customers are naturally fearful about traffic that cannot be seen. Help them find unauthorized wireless devices, known as rogues, by scanning their building with a WLAN discovery tool. Better yet, deploy a full-time wireless intrusion detection or prevention systems (WIDS/WIPS) to watch the airwaves and report on security threats, misconfigured devices and policy violations. Wireless newcomers often need help understanding WIDS alerts and reports.
Prevent wireless intrusions
Initially, customers may be uncomfortable responding to threats automatically. However, the only way to react in a timely manner and stop high-risk connections is to enable WIPS prevention. You can add value by helping customers understand the consequences of these features, how to configure them and how to use locationing to eliminate intruders.
Enforce network security
Finally, wireless LAN security deserves extra attention, but it is just one part of a bigger picture. Help customers determine how wireless traffic should be contained inside the wired network -- for example, mapping SSIDs or 802.1X to VLAN tags. Recommend ways to integrate wireless APs and controllers with SYSLOG servers and network management systems. Melding wireless and wired security not only leverages existing skills and infrastructure, but promotes consistency in management and use.
About the author
Lisa Phifer owns Core Competence Inc., a consulting firm specializing in network security and management technology. Lisa has been involved in the design, implementation and evaluation of data communications, internetworking, security and network management products for over 20 years. At Core Competence, she has advised large and small companies regarding security needs, product assessment and the use of emerging technologies and best practices .
This was first published in April 2008