Offer your customers informed network topology and physical positioning recommendations for access point deployment, and learn to configure incoming and outgoing policies to meet business needs. This tip was originally part of the Wireless Security Lunchtime Learning
series on SearchSecurity.com.
Many installers make the mistake of treating 802.11 WLANs just like Ethernet, placing access points (APs) in locations that facilitate outsider access to corporate networks. But, from a security perspective, WLANs should be treated like the Internet -- a network composed of trusted and untrusted users. This tip offers network topology and physical positioning recommendations for safer AP deployment.
Position mattersAPs with factory-default omni antennas cover an area that's roughly circular, impacted by RF obstacles like walls. It is therefore common to place APs in central locations, or divide an office into quadrants, deploying one AP per cell.
This approach is straight-forward, but may not optimize cost, performance or security. Desired coverage areas are rarely circular. To fill resulting gaps, you may end up purchasing more APs than your customer really needs and "leaking" quite a bit of signal. Site modeling and/or directional antennas can help avoid this.
- Modeling tools try to satisfy user location, density and throughput requirements by combining building material characteristics, AP capabilities and site survey measurements to predict where APs should be placed and verify results. Up-front planning takes more time and effort, but can pay off in the long run, especially for large WLANs. For example, see AirMagnet Surveyor, AirTight SpectraGuard Planner, Network Chemistry RFprotect Survey and Trapeze RingMaster.
- Replacing the AP's "rubber ducky" omni antennas with directional antennas can better focus radiated power where it belongs, improving inside coverage and reducing outside signal leakage.
Physical or logical LAN segmentationNext, prevent wireless LAN traffic from mixing with "other" LAN traffic. Stations connected to your Ethernet LAN form a trusted workgroup. They exchange broadcast/multicast traffic and depend on shared resources like Layer 2 hubs or switches, DHCP servers, DNS servers, and Layer 3 switches or routers. Toss untrusted devices onto that LAN and you're putting everyone at risk. Bad actors can cause broadcast storms, poison ARP caches, chew up IP address pools, etc. This risk can be reduced by physically or logically segregating the APs.
- For example, cable all of your customer's APs to a new Ethernet switch, rather than connecting them to an existing Ethernet switch used by nearby wired devices. Or you cable "thin" APs to a new wireless switch (e.g., Aruba, Cisco, Trapeze) that's responsible for managing and monitoring them. Clumping all APs into one physical LAN is easy to understand, but it does not scale.
- Larger WLANs should create logical workgroups using Virtual LANs (VLANs). VLANs tag packets or ports with identifiers used to control traffic flow. For example, connect your APs to existing Ethernet switch ports, but assign those ports their own new VLAN. You'll probably want at least two new VLANs -- one for AP management and another for wireless users.
Creating network barriersAt some point, WLAN traffic will encounter a network layer device, where it may be forwarded to the public Internet or other internal subnets. This is where many employee-installed APs wreak havoc. Connecting an untrusted device to a trusted subnet creates an unsecured "back door." Security measures enforced at the trusted subnet's "front door" -- firewall rules, VPN tunnels, network antivirus -- are circumvented by stations connected to misplaced APs.
For this reason, wireless APs should always be separated from trusted subnets using some type of network layer policy enforcement device, like:
- VPN gateways
- Wireless gateways and Layer 3 switches
- Network access controllers
When creating a network barrier, consider functions that device must perform. To enforce security policies, you may need access controls (based on MAC, VLAN, IP, port or application traffic inspection), station or user authentication, VPN tunneling (with or without subnet roaming), session accounting, virus scanning, content filtering, intrusion detection/prevention and bandwidth limits. A general-purpose firewall can do much of this, but a wireless gateway or Layer 3 switch may fill this role AND provide 802.11-specific functions like AP discovery, provisioning and RF management. Different barriers may be appropriate for different users -- for example, a Web-based access controller for guests and a VPN gateway for employees.
Finally, no matter which device you choose, configure incoming and outgoing policies to meet business needs and deny everything else. For example, there's probably no reason that SNMP requests, routing messages or DNS zone updates should originate from your customer's WLAN. Granular policies may require more effort to maintain, but can reduce the risk of core network compromise by wireless-borne attacks.
About the author
Lisa Phifer owns Core Competence, Inc., a consulting firm specializing in network security and management technology. Core Competence produces The Internet Security Conference (TISC), an annual symposium for network security professionals. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years.
This tip originally appeared on SearchSecurity.com.
This was first published in December 2006