Best Practices for Wireless Security
The ability to defend today’s businesses from information security threats is largely based on protocols and technologies that support a wired infrastructure. However, the proliferation of mobile devices and wireless communication is introducing new security gaps that must be addressed. As the saying goes, security is only as good as your weakest link—and wireless systems are the weak links in business infrastructure. Security practitioners need to better understand wireless technologies, protocols and standards, and develop policies to address wireless security to ensure that these technologies are not the “gaps” exploited by hackers. These are some of the best practices that security practitioners should be familiar with as they deploy wireless technology.
Getting Started: Wireless Site Survey and Assessment
Performing a wireless site survey before deploying the wireless infrastructure is key to successful implementation. The objective of the wireless site survey is to understand the architecture of access points, cable routes and electrical needs. It also establishes transmission coverage area and identifies security issues. A detailed report is typically developed that documents all necessary parts and equipment, as well as diagrams that exhibit the proper placement of components.
Scan the Network
Security practitioners should review vulnerabilities on the wireless infrastructure on a periodic basis. Tools such as NetStumbler, Kismet and others can be instrumental in learning more about the risks to the wireless network and infrastructure.
NetStumbler is an active network scanner that sends out probe requests and watches for responses to these packets. It is a free utility and is available at www.netstumbler.com. It provides information about wireless networks in range including: SSID (service set identifier), MAC address, vendor wireless in use, type of device (e.g., access point), encryption (e.g., whether wireless equivalent privacy, or WEP, is in use) and channels being used. NetStumbler also provides information about signal strength and noise. While NetStumbler is a simple beacon scanner, it is a good tool for detecting and monitoring wireless networks.
Kismet is an advanced diagnostic tool for wireless networks. It is a passive network scanner that detects traffic from access points and wireless clients. Kismet is a free utility and can be downloaded from www.kismetwireless.com. Kismet monitors traffic sent from its users to find “closed” networks and logs all 802.11 frames. Kismet can track systems with multiple wireless cards. For wireless clients, Kismet displays MAC address, IP address and manufacturer information. Kismet saves all recorded frames to a standard pcap format. This allows you to use Ethereal or AirSnort to analyze the data.
Next Step: Develop a Wireless Security Policy
Once they understand the vulnerabilities on their wireless networks, security practitioners should develop a policy for securing wireless devices and transmissions. The scope of this policy covers all wireless data communication devices (e.g., personal computers, cellular phones, PDAs, etc.) connected to any of the organization’s networks. This includes any form of wireless communication device capable of transmitting packet data.
The policy should include specific recommendations, such as:
- Wireless implementations must maintain point-to-point hardware encryption of at least 128 bits.
- Wireless devices must maintain a hardware address that can be registered and tracked (i.e., a MAC address).
- Wireless devices must support strong user authentication that checks against an external database, such as TACACS+, RADIUS or something similar.
- Laptop/PDA users must select strong passwords and must have anti-virus software installed with automatic updates.
- Screensavers must be activated after two to three minutes of idle time.
- Encryption must be used to store sensitive information on laptops.Wireless Design Best Practices
The key here is to understand the risk to the infrastructure if the access point is compromised. The core objective in the design of the wireless network must be to minimize the number of access points, as each represents a potential area of vulnerability. Further, the access points should be installed away from exterior walls so that the strength of the signal is reduced for access from outside of the physical facility. The access point also should not be installed on the same network as other critical network resources. It should typically be separated from the wired network, and the design should require communication to go through a firewall system.
The enterprise wireless infrastructure should be based on the following guidelines:
- Configure a firewall between the wireless network and the wired infrastructure.
- Ensure that 128-bit or higher encryption is used for all wireless communication.
- Fully test and deploy software patches and updates on a regular basis.
- Deploy intrusion detection systems (IDS) on the wireless network to report suspected activities.Consider the following best practices for the deployment of wireless access points:
- Maintain and update an inventory of all access points and wireless devices.
- Locate access points on the interior of buildings instead of near exterior walls and windows as appropriate.
- Place access points in secured areas to prevent unauthorized physical access and user manipulation.
- The default settings on access points, such as those for SSIDs, must be changed.
- Access points must be restored to the latest security settings when the reset functions are used.
- Ensure that all access points have strong administrative passwords.
- Enable user authentication mechanisms for the management interfaces of the access point.
- Use SNMPv3 and/or SSL/TLS for Web-based management of access points.
- Turn on audit capabilities on access point, and review log files on a regular basis.To ensure security on all wireless and mobile end devices, install anti-virus and personal firewall software on every client, and disable file sharing between wireless clients.
Security practitioners should:
- Upgrade firmware (develop a patch management policy and practice it).
- Disallow remote management.
- Use static IP addresses, if possible.
- Restrict range of IP addresses—configure the access point to allow only a limited range of IP addresses.
- Enable MAC filtering on the access point. These filters let you specify which WLAN cards will be granted access and which will not.From WEP to WPA and 802.11i
Wired equivalent privacy (WEP) has been the standard 802.11 wireless security protocol for data encryption. It uses a key to encrypt wireless data transmitted through the radio waves, and supports a 40-bit key and a 128-bit key. However, attackers have been able to compromise both WEP key lengths. If you do not use any encryption, then the advice is to at least use WEP.
With WEP, you should use the longest key the hardware supports. Key lengths may be 64-bit ASCII (five characters), 64-bit hexadecimal (10 characters), 128-bit ASCII (13 characters) or 128-bit hexadecimal (26 characters). You also should use a non-obvious key and plan to change keys often. It also is important to use WEP with other security capabilities.
The Wi-Fi protected access (WPA) specification replaced WEP. It was developed by the Wi-Fi Alliance as a stepping-stone to the IEEE 802.11i standard, also referred to as WPA 2. WPA was based on the early draft of the 802.11i standard. The IEEE 802.11i standard has been developed to ensure message confidentiality and integrity. It incorporates the IEEE 802.1x port authentication algorithm to provide a framework for strong