How to: Protect Your Hotspot
May 20, 2008
In parts I and II of this series, we illustrated safety measures that individuals and businesses can use to protect themselves when using public Wi-Fi hotspots. In part three, we recommend security best practices for Wi-Fi hotspot administrators.
In parts one and two of this series, we illustrated safety measures that individuals and businesses can use to protect themselves from Wi-Fi hotspot threats. Of course, the more secure the hotspot, the better for everyone. Here in part three, we recommend security best practices for Wi-Fi hotspot administrators.Indecent exposure
Hotspot operators often take a "swim at your own risk" attitude, treating security as the user's problem. Few hotspots support WPA encryption and many dump all customers onto a shared LAN with little or no filtering. In one assessment of three dozen hotel hotspots [see report], just one in four could insulate users and encrypt their traffic. The rest left users partly or fully exposed to attacksincluding those launched from upstream Ethernet LANs and the public Internet.
If exposed users don't trouble you, consider this: those wide-open hotspots also tended to place the operator's assets at risk. At several test venues, open Telnet, FTP, and SNMP ports were found on access gateways and firewalls, readily accessible to curious (or nefarious) Wi-Fi users. Private printer and file shares on nearby LANs were frequently visiblesome folders even had tempting names like "frontdesk" and "<HotelName>Sales." Few of these tested hotspots made any real attempt to prevent MAC address spoofing, thus making it easy for thieves to piggyback on sessions established by other users. And some even failed to encrypt user logins.
Batten down the hatches
Hotspots may be public access networks, but they shouldn't be "free-for-all anything-goes" zones. Common security practices should be applied to every system, starting at the hotspot's Internet access router and firewall, continuing through inside authentication servers, access gateways, wired switches, and wireless gear. For example:
· Apply hardening techniques, like closing unused ports, establishing strong management and auth server credentials, and using IP/MAC filters or VLANs to limit admin access.
· Aim network vulnerability assessment tools like nmap at every hotspot node to identify and then fix remaining exposures, including NetBIOS leakage on local LANs.
· Keep hotspot infrastructure up-to-date by applying the latest security patches and by learning about common mis-configurations that put your systems and data at risk.
· Web applications and content displayed on portal pages should be reviewed for vulnerabilities as well.
These practices are not unique to hotspots. They're just good general hygienebasic steps, which many hotspots fail to employ because the value of doing so is underestimated.
Fight fire with firewalls
Take a hard look at packet flows, with an eye towards compartmentalizing hotspot traffic. Consider physically isolating the public hotspot from on-premises business networks by deploying separate access links, firewalls, and APs. Where this proves impractical, establish logical barriers using firewall security zones, wired VLANs, and virtual APs. For example:
· Use perimeter firewall features to limit the bandwidth consumed by hotspot traffic or any single user (source IP or MAC).
· Place the hotspot captive portal and Wi-Fi switch/APs in their own security zone (layer 3 DMZ, layer 2 VLAN), configuring rules to preventing "hopping."
· Where wireless coverage areas differ, use separate APs to serve business and hotspot users, with strong authentication on business APs that prevent customer access.
· Where wireless footprints overlap, or multiple hotspot constituencies exist (e.g., hotel guest, meeting room), use virtual APs with multiple SSIDs, mapped to different VLANs/subnets.
· Don't be tempted to share a business printer with guests. Offer public printing services from a device dedicated to that taskand thus physically isolated from business systems.
· If inbound connections are necessary, allow them in a limited fashionfor example, using VPN pass-thru and common port forwards instead of full-blown static NAT.
Control hotspot access
Why pay for something if you can get it for free? Theft of service may not be as rare or difficult as hotspot operators would like. Commercial hotspots often use captive portals to intercept users and redirect them to pages that solicit logins, pass codes, or credit card payments. This is a good start, but more may be needed. For example:
· Always secure login portals with SSL, but never use a factory-default certificate for this purpose. That "suspicious cert" will just scare users away and let phishers steal your lunch.
· Don't bother using WEP keys or WPA PSKs to control hotspot access unless this is done through a guest access system that issues time-limited, per-user keys.
· In commercial hotspots that allow 802.1X authentication, avoid EAP types that expose the user's identity and recommend that users check the server's certificate.
· Take advantage of AP, switch, or gateway features that detect and deflect MAC spoofing. If nothing else, apply login/ inactivity timeouts to limit this risk exposure.
Help users protect themselves
Hotspots should helpnot hinderusers that want to secure themselves and their traffic. Possibilities here range from passive enablement to active collaboration. In fact, the operator's degree of involvement can be viewed as a service differentiator. When choosing between hotspots, customers may be drawn to those with good (secure/reliable) reputations.
· Consider providing a WPA-encrypted SSID in addition to the usual open SSID. When combined with 802.1X authentication, WPA can benefit both the user and the operator.
· Configure the hotspot firewall to facilitate user VPN access -- for example, by enabling IPsec and PPTP pass-through and perhaps offering a "public IP" option.
· Take advantage of AP features that inhibit inter-client (intra-WLAN) traffic, and use filters to block unwanted LAN probes like ARP and NetBIOS from leaking onto the WLAN.
· Make it easier for users to find and recognize legitimate hotspot APs by documenting their coverage areas, SSIDs, server certificates, etc.
· Consider applying Unified Threat Management (UTM) at the hotspot firewall to prevent intrusions, spyware back-channels, and requests to known hacker Websites. UTM may be hampered by VPN tunnels, but can help keep other customers (and the hotspot) safer.
· Forewarned is forearmed: Advertise the hotspot's security practices in "Terms of Service" and customer support pages, helping educate users about risks and how to avoid them.
Look, listen, and learn
Finally, dont overlook the power of observation. For example, analyze logs and alerts generated by hotspot infrastructure (especially the firewall) to spot unexpected usage or signs of attack. Monitor the airwaves tooat minimum, use AP-based scanning or a stumbler to notice interfering APs or malicious evil twins. Full-time wireless intrusion detection can be helpful, but prevention (wireless blocking) should only be applied within business WLANs where trusted devices and users can be reliably recognized. The more you know about what's really happening at the hotspot, the better equipped you'll be to keep it running smoothly and safely.
For more on hotspot safety, read "Wi-Fi Planet Guide to Hotspot Safety," "Hotspot Safety for Business Users," and "Travelers Beware: Survey Exposes Airport Wi-Fi Vulnerabilities."
For more on evil twins, read "When "Free Public Wi-Fi" Is Bad."
For more by Lisa Phifer, read "Cheers to Wi-Fi," "Retailers Need to Shore Up Defenses," and "Aruba Emphasizes Preparedness In New Products and Enhancements."
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. She has been involved in the design, implementation, and testing of NetSec systems and services for over 25 years, including security vulnerability assessments conducted at dozens of public access Wi-Fi hotspots.