How to secure the wireless fortress

Here’s what you must do to protect your WLANs

Wi-Fi Alliance Web site

What’s not to love about wireless local-area networks? The hardware is relatively inexpensive, particularly when compared with the costs of traditional wired network hardware. Moreover, WLAN speeds have improved so much that most users won’t notice a slowdown compared with wired networks’ performance. Finally — and best of all — you get to lose all those pesky wires. So what’s the downside of WLANs? In a word: security. Or rather the lack of it.

Since the passage of the first wireless standards seven years ago, security has been a major thorn in the side of WLAN technology. When vendors tried to conform to the first approved wireless standards, they often produced solutions with disabled security features, default passwords that were easy to subvert, short cryptographic keys and no client authentication — among other problems.

Those early wireless products also lacked decent administration tools and interfaces, which caused many people not to enable security at all. Those factors increased the likelihood that the bad guys would have a pretty easy time accessing your WLAN to piggyback on your Internet connectivity or crack into your wired network. That last point is particularly important, because intruders taking advantage of early wireless configurations — attached to wired networks — could often easily cross your firewall undetected.

If you have existing wireless equipment — access points, client cards, etc. — that you purchased before late 2003, you should wipe out the configuration information and remove them. Those early products used Wired Equivalent Privacy (WEP) to enforce security, and the protocol is insecure.

Standard insecurity
WEP is not secure because it uses a static encryption key. Someone passively monitoring a wireless network could easily figure out the key. Moreover, publicly available tools, such as AirSnort, made this practice fairly common at the time.

In 2002, another wireless acronym — WPA, or Wi-Fi Protected Access — entered the lexicon partially because of all the security issues discovered with WEP. As the Institute of Electrical and Electronics Engineers began work on the proposed 802.11i standard to bolster security, the organization initially supported a WPA version based on early drafts of the forthcoming standard.

In June 2004, the 802.11i standard was finally adopted, and some refer to it as WPA2. If your agency has older 802.11g wireless equipment — circa late 2003 — those devices may support the early version of WPA. You might be able to update those devices by applying firmware that brings the device fully into compliance with the 802.11i standard. You can check with your wireless vendor or the Wi-Fi Alliance Web site to verify that your existing products or ones you may be evaluating fully support the 802.11i security measures.

The 802.11i standard provides more security advantages than earlier wireless protocols do. Its WPA2 support uses a stronger key management mechanism via Temporal Key Integrity Protocol. The TKIP support enables the automatic creation of encryption values derived mathematically from a master key. The security feature handles the changed values transparently and automatically without the need for administrative intervention. That is a much better setup than the manual key creation that the early WEP protocol required.

Managing your wireless strategy
The latest wireless standards and protocols provide significant security improvements compared with previous technologies. However, ensuring that your agency is using wireless networking in a secure manner requires additional efforts.

For starters, managers need to define a solid wireless security policy. First, your security policy should identify who may — and may not — use wireless technology in the agency.

Next determine if Internet access is necessary.

Then define who can install, configure and maintain your wireless equipment.

You should also specify the physical security measures you will take to limit access to wireless equipment, such as wireless access points.

Also consider the type of information that you will allow to traverse your wireless network. Write detailed guidelines to define that information and the conditions under which wireless devices can connect to the WLAN.

In your wireless security policy, detail all hardware and software settings and provide specific standards that wireless administrators must adhere to for all wireless devices.

As with the security policy for your traditional, wired LAN, you will need to define a methodology for users to follow if a security breach occurs or someone loses or steals wireless client equipment. You can usually add incident reporting processes for wireless resources to the incident reporting structure you already use for your wired network policy.

As part of your wireless security policy, you should also define the intervals, scope and available tools with which your agency will conduct wireless security assessments. Several wireless security vendors, including Network Chemistry and Bluesocket, have tools that address assessments to ensure compliance and ongoing monitoring.

Finally, your security policy should include education for administrators so that they are aware of innovative technologies and new threats. In addition, you should identify steps for ensuring that all authorized wireless users understand the security policy, wireless usage rules and steps for reporting issues.

Improving security every day
From an operational perspective, wireless technology has some of the same security issues that other technologies do. For example, as with antivirus products, wireless products require patches and firmware upgrades. Administrators must consistently stay on top of those changes and test them before deploying them.

Some security techniques are relatively obvious. Regularly change all passwords and do not use the same passwords throughout the entire agency’s wireless hardware. Use strong passwords. Review audit logs daily.

At regular intervals — quarterly, at a minimum — inventory all wireless equipment, including client devices. Execute regular security assessments using tools that can alert you when device settings are out of agency compliance. Review physical security and your security policy at regular intervals, too. Assign technical staff members the task of staying current on all wireless trends so you can remain alert and vigilant about potential threats.

Deploying wireless technologies will always carry a certain level of risk. The best practices outlined here and in other wireless security documentation, if followed completely, can greatly reduce — but not eliminate — the likelihood of an attack or unauthorized access to your network.

Choosing the right wireless technology
One goal of setting standards for wireless equipment is knowing what you’re buying when you go shopping for wireless network pieces. If you buy an inexpensive wireless client at Office Depot that supports the 802.11i security standard, you can rest assured that it will work with your compatible access point that also supports that standard, regardless of the manufacturer.

But standards such as 802.11i establish only a floor, not a ceiling. Any 802.11i equipment must meet certain requirements specified in the standard, but specific brands of equipment could exceed those standards.

That’s why the majority of agencies will likely want to consider forgoing the immediate savings of discounted consumer equipment in favor of purchasing products from enterprise suppliers.

With enterprise wireless technologies from companies such as Cisco Systems and other network suppliers, the solutions provide additional tools designed for integrating, monitoring and managing larger installations. Although agencies might be able to integrate equipment from consumer-oriented equipment vendors, they likely would never reach the level of integration with management tools offered by enterprise vendors.

Biggs, a senior engineer and freelance technical writer based in northern California, is a Federal Computer Week analyst. She can be reached at maggiebiggs@acm.org.

9 technical considerationsIn addition to creating an agencywide wireless security policy, you should complete several technical tasks to ensure security best practices for your wireless local-area network. Aside from physically securing wireless equipment, here are some of other best practices.

  • Passwords: Each wireless access point should have a unique administrator password. Do not use the same password or a sequence of incremental passwords across all access points. Moreover, your password should not be anything close to a real word — include several special characters and numbers in the password.

  • Protocols: Turn off or remove, if possible, any unused protocols on the access point. For example, if your access point supports Simple Network Management Protocol versions 2 and 3 and you only need Version 3, turn off SNMP Version 2. Configure all protocols to minimize privileges for users unless there is a valid reason for a specific user to have expanded permissions.

  • Pre-802.11i: Inventory all existing wireless equipment in the agency for access points or client hardware that support Wired Equivalent Privacy and other earlier standards and protocols. In hardware that supports WEP and Wi-Fi Protected Access, disable WEP. Hardware that does not fully support 802.11i should be removed.

  • Logging and monitoring: Turn on logging for all wireless hardware and direct its output to a centralized logging server on which security employees can monitor and detect potential issues. As wireless technology has matured, monitoring capabilities have also improved. Agencies should install a wireless intrusion-prevention solution, such as AirDefense Enterprise.

  • Trust no one: By default, many wireless solutions assume an already trusted relationship between clients and access points and among access points. Enable authentication and ensure that you use mutual authentication.

  • Timeouts: Carefully tune parameters that affect the length of a session or connection for your environment. In general, shorter is better. For example, if you have agency employees using wireless throughout the day and they break for lunch at noon, set a maximum timeout value of about four hours. Employees returning from lunch can then establish a new session. Set the timeout to be as short as is practical to increase security without making the arrangement unworkable for employees.

  • Authorized methods only: Your agency’s security policy should define the authentication and encryption methods that are standard for your organization. Many wireless products support multiple types of authentication and encryption. Disable any authentication and encryption algorithms that your policy does not define.

  • Mode: Most wireless equipment supports peer-to-peer and infrastructure modes. Unless there is a compelling business need to support a peer-to-peer arrangement, which allows two or more clients to network directly, configure all access points as infrastructure mode only. This increases administrative control and reduces the likelihood that an intruder would be able to access your network by connecting directly to a client on it.

  • Defaults and naming: Avoid deploying a wireless network with the default settings in place. Most vendors use defaults such as their company name for many parameters in the equipment. Change those right away to something meaningful. And be creative! Don’t make the name of your access point, “Accounting,” for example. Instead, consider using a naming convention, such as department, location and access point number. Instead of “Accounting,” you might have “BeanCounters_5th_Floor_AP01”. Originality in naming will increase security.

Implementing strong key management

The 802.11i standard provides more security advantages than earlier wireless protocols do.

For example, support for Wi-Fi Protect Access 2 (WPA2) includes the use of a stronger key management mechanism, Temporal Key Integrity Protocol. TKIP enables the regular creation of encryption values, which are derived mathematically from a master key. The protocol changes encryption values transparently and automatically without the need for administrative intervention.

There are two ways to generate the master key: use a preshared key or a centralized authentication server.

In small network settings using the pre-shared key method, an administrator enters a password and then TKIP changes the keys automatically at regular intervals. Those using preshared keys should make the initial password as long as possible — more than 15 characters — to increase security.

In most agencies, centralized authentication servers will be the standard practice. WPA2 supports the Remote Authentication Dial-in User Service for authentication, authorization and accounting. Supported authentication methods within this type include several flavors of Extensible Authentication Protocol, including Transport Layer Security and Protected Extensible Authentication Protocol.

The 802.11i standard and WPA2 use the same encryption algorithm — the RC 4 cipher stream — that was found in earlier standards such as 802.11a/b/g and the Wired Equivalent Privacy protocol. However, 802.11i TKIP support uses a longer 48-bit initialization vector, and that is an improvement compared with the 24-bit initialization vector support that WEP-based solutions had. Initialization vectors are groups of bits that are needed to create a unique data stream independent of other data streams created by the same encryption key. The idea is to be able to create unique data streams without having to create a new key.

Another important acronym in the 802.11i standard is RSN, or Remote Security Network. The RSN protocol dynamically negotiates encryption and authentication methods during communication sessions between access points and user machines. RSN is extensible in that as new security issues are discovered and security protocols are continually bolstered, the configuration can handle stronger security measures without the need to replace new wireless hardware.

RSN supports the Advanced Encryption Standard — as many as 256 bits — which meets agency security requirements. Finally, by using 802.11i, all packets are encrypted whereas in previous wireless standards only the user-data was encrypted.