How to: Define Wireless Network Security Policies
September 18, 2008
Because of the use of radio waves, a wireless network is not secure unless you take special precautions. Follow these recommendations when defining the wireless network security policies for your company.
With a wireless network, you must consider security policies that will protect resources from unauthorized people. Lets take a look at what you should include in a wireless network security policy for an enterprise. Consider the following recommendations:
Utilize IPSec-based Virtual Private Network (VPN) technology for end-to-end security. If users need access to sensitive applications from Wi-Fi hotspots, definitely utilize a VPN system to provide sufficient end-to-end encryption and access control. Some companies require VPNs for all wireless client devices, even when theyre connecting from inside the secured walls of the enterprise. A full-throttle VPN solution such as this offers good security, but it becomes costly and difficult to manage when there are hundreds of wireless users (mainly due to the need for VPN servers). As a result, consider implementing 802.11 encryption when users are operating inside the enterprise and VPNs for the likely fewer users who need access from hotspots.
Utilize 802.1x-based authentication to control access to your network. There are several flavors of 802.1x port-based authentication systems. Choose one that meets the security requirements for your company. For example, EAP-TLS may be a wise choice if you have Microsoft servers.
Establish the wireless network on a separate VLAN. A firewall can then help keep hackers located on the VLAN associated with the wireless network from having easy access to corporate servers located on different, more secured VLANs (i.e., not accessible from the wireless network). In this manner, the wireless network is similar to a public network, except you can apply encryption and authentication mechanisms to the wireless users.
Ensure firmware is up-to-date in client cards and access points. Vendors often implement patches to firmware that fix security issues. On an ongoing basis, make it a habit to check that all wireless devices have the most recent firmware releases.
Ensure only authorized people can reset the access points. Some access points will revert back to factory default settings (i.e., no security at all) when someone pushes the reset button on the access point. Weve done this when performing penetration testing during security assessments to prove that this makes the access point a fragile entry point for a hacker to extend their reach into the network. As a result, provide adequate physical security for the access point hardware. For example, dont place an access point within easy reach. Instead, mount the access points out of view above ceiling tiles. Some access points dont have reset buttons and allow you to reset the access point via an RS-232 cable through a console connection. To minimize risks of someone resetting the access point in this manner, be sure to disable the console port when initially configuring the access point.
Disable access points during non-usage periods. If possible, shut down the access points when users dont need them. This limits the window of opportunity for a hacker to use an access point to their advantage as a weak interface to the rest of the network. To accomplish this, you can simply pull the power plug on each access point; however, you can also deploy power-over-Ethernet (PoE) equipment that provides this feature in a more practical manner via centralized operational support tools.
Assign strong passwords to access points. Dont use default passwords for access points because they are also well known, making it easy for someone to change configuration parameters on the access point to their advantage. Be sure to alter these passwords periodically. Ensure passwords are encrypted before being sent over the network.
Dont broadcast SSIDs. If this feature is available, you can avoid having user devices automatically sniff the SSID in use by the access point. Most current computer operating systems and monitoring tools will automatically sniff the 802.11 beacon frames to obtain the SSID. With SSID broadcasting turned off, the access point will not include the SSID in the beacon frame, making most SSID sniffing tools useless. This isnt a foolproof method of hiding the SSID, however, because someone can still monitor 802.11 association frames (which always carry the SSID, even if SSID broadcasting is turned off) with a packet tracer. At least shutting off the broadcast mechanism will limit access.
Reduce propagation of radio waves outside the facility. Through the use of directional antennas, you can direct the propagation of radio waves inside the facility and reduce the spillage outside the perimeter. This not only optimizes coverage, it also minimizes the ability for a hacker located outside the controlled portion of the company to eavesdrop on user signal transmissions and interface with the corporate network through an access point. This also reduces the ability for someone to jam the wireless LAN - a form of denial-of-service attack - from outside the perimeter of the facility. In addition, consider setting access points near the edge of the building to lower transmit power to reduce range outside the facility. This testing should be part of the wireless site survey.
Implement personal firewalls. If a hacker is able to associate with an access point, which is extremely probable if there is no encryption or authentication configured, the hacker can easily access (via the Windows operating system) files on other users devices that are associated with an access point on the same wireless network. As a result, its crucial that all users disable file sharing for all folders and utilize personal firewalls. These firewalls are part of various operating systems, such as Windows XP and Vista, and 3rd party applications as well.
Control the deployment of wireless LANs. Ensure that all employees and organizations within the company coordinate the installation of wireless LANs with the appropriate information systems group. Forbid the use of unauthorized access points. Mandate the use of approved vendor products that youve had a chance to verify appropriate security safeguards. Maintain a list of authorized radio NIC and access point MAC addresses that you can use as the basis for identifying rogue access points.
With these recommendations in mind, you have a basis for forming a solid security policy. When deciding on which techniques to implement, however, be sure to consider actual security needs.
Jim Geier provides independent consulting services and training to companies developing and deploying wireless networks for enterprises and municipalities. He is the author of a dozen books on wireless topics.