Planning WLAN Operational Support, Part III
October 20, 2003
Wireless LANs require security mechanisms to safeguard a company's information. Discover how to properly plan security to ensure that the wireless LAN is not an open door to hackers and causal snoopers.
By Jim Geier
In general, the security element of operational support involves managing the network to ensure no issues persist that can hinder the network. Good security requires fool-proof encryption and authentication, as well as solid policies that the company enforces regarding configuration of the wireless LAN.
The following are essentials to consider when planning security for WLANs:
- Encryption and authentication. When planning security, be sure to
use encryption of packets at least over the airwaves. Wired Equivalent
Privacy (WEP) is the native 802.11/Wi-Fi encryption mechanism and has
its faults, but its better than nothing. Imagine having a wireless LAN in
a multi-dwelling environment. Neighbours having a wireless-enabled laptop
or PC can easily make use of your Internet connection, something that you
probably dont want and Internet service providers generally forbid. WEP does
a great job in this case keeping causal snoopers off your network.
Aside from this example, most wireless LAN applications need more protection using standards such as Wi-Fi Protected Access (WPA) and IEEE 802.11i. WPA offers sound encryption and authentication between users and access points, the critical part of a wireless system. WPA is actually a snapshot of the current version of 802.11i, which includes Temporal Key Integrity Protocol (TKIP) and 802.1X mechanisms. The combination of these two mechanisms provides very good security through dynamic key encryption and mutual authentication. A strong advantage of WPA, because of dynamic key allocation, is that it is open enough to operate within multi-vendor environments such as public hotspots.
The eventual 802.11i standard will be backward compatible with WPA; however, 802.11i will also include an optional Advanced Encryption Standard (AES) encryption. AES requires coprocessors not found in most access points today, which makes AES more suitable for new WLAN installations. As a result, be sure to deploy suitable access points today if you expect to support full 802.11i in the future.Whereas WEP, WPA, and 802.11i offer encryption over the airwaves only, a virtual private network (VPN) encrypts data from end-to-end, across the entire network. Certainly consider the use of VPNs for users travelling and utilizing public wireless LANs. Some vendors, such as Colubris, offer VPN servers within their access point. VPNs are not foolproof, mainly because of potential address resolution protocol (ARP) attacks. Dont depend entirely on VPN software to adequately safeguard network resources. OptimumPath, however, has a unique protocol they call secure ARP (SARP) that counters this problem.
- Installation control. Enterprises should have policies in place that require anyone installing wireless access points and base stations to first have approval from a designated IT group. The company should strictly forbid the connection of unauthorized wireless access points to the corporate network. In fact, all access points should satisfy specific configuration policies.
- Monitoring. Sound security includes other support elements as well. For example, network monitoring should include a mechanism that continuously monitors the network for rogue access points that provide non-secure access to the protected side of the corporate network. Be sure to fully define this monitoring function to alert IT staff when a rogue is found.
- Periodic testing. Access points should be subject to periodic penetration tests and audits to ensure compliance with configuration policies. Without this testing, there is no way of telling whether the wireless LAN actually conforms in a way that satisfies security requirements. A combination of effective network monitoring and configuration management can replace the need for some of this testing, but be sure to conduct periodic testing to ensure that you dont miss anything.
- Action plans. If network monitoring discovers a breach of security
occurring at a specific access point, then its a good idea to temporarily
disable that access point. As a result, strive to you access points that enable
you to remote shut off the radio or disable the power through Power-over-Ethernet
Denial of Service is also a possible issue with wireless LANs. In some cases, this could be a disaster waiting to happen. Imagine the use of a Wi-Fi network to perform a shipping function within a large warehouse. A hacker can easily disable this WLAN sending blocking signal to keep wireless LAN devices from accessing the medium and sending data. This could completely halt operations at the warehouse. As a result, think about "Plan B" before deploying. This means planning on how the company will be able to continue operating if the WLAN becomes inoperative.
WLANs can certainly provide significant benefits. Just be sure to properly plan the security element before deploying the network to ensure adequate protection of your companys resources.
Stay tuned! In part IV of this series, we'll focus on how to orchestrate the maintenance activity of a WLAN.
Jim Geier provides independent consulting services to companies developing and deploying wireless network solutions. He is the author of the book, Wireless LANs and offers training focusing on wireless LANs.