Best Practices For Wireless Network Security
Best Practices For Wireless Network Security
com/article/2573986/best-practices-for-wireless-network-
security.html
Wireless LANs, which use radio frequencies to broadcast in the unlicensed 2.4-
GHz frequency band, can be as simple as two computers equipped with wireless
network interface cards or as complex as hundreds of computers outfitted with
cards communicating through access points. They're relatively inexpensive and
easy to install.
But they also introduce a number of critical security risks and challenges, and it's
important to implement strong security measures to mitigate these risks. What
follows are potential risks and associated best practices to help you secure your
network and understand WLAN characteristics:
0 of 30 secondsVolume 0%
Though establishing policies to govern wireless networks would appear to be a
basic requirement, institutions often fail to take this step or to inform employees
of the risks associated with not using a wireless network in accordance with the
policies. Once policies are implemented, it's critical to communicate them to
increase users' awareness and understanding.
How to mitigate:
Conduct regular security awareness and training sessions for both systems
administrators and users. It's important to keep systems administrators informed
of technical advances and protocols, but it's equally important for users to
understand the reasons for the protocols. An educated user will more likely be a
compliant one, without as much protest. These education sessions should stress
the importance of vigilance.
How to mitigate:
5. Use a closed network. With a closed network, users type the SSID into the
client application instead of selecting the SSID from a list. This feature
makes it slightly more difficult for the user to gain access, but education on
this risk-mitigation strategy can reduce potential resistance.
Rogue access points are those installed by users without coordinating with IT.
Because access points are inexpensive and easy to install, rogue installations
are becoming more common.
Rogue access points are often poorly configured and might permit traffic that can
be hard for intrusion-detection software to pinpoint.
How to mitigate:
1. Conduct extensive site surveys regularly to determine the location of all access
points. Ensure that access points aren't near interfering appliances such as
microwave ovens, electrical conduits, elevators or furniture.
2. Plan for access-point coverage to radiate out toward windows, but not beyond.
3. Provide directional antennas for wireless devices to better contain and control the
radio frequency array and thus prevent unauthorized access.
4. Purchase access points that have "flashable" firmware only, to allow users to
install security patches and upgrades in future releases.
5. Disable Simple Network Management Protocol community passwords on all
access points. SNMP is used as an access-point management mechanism, and
while it offers operational efficiencies, it increases the risk of security breaches.
6. Set Authentication method to OPEN rather than to shared encryption key. This
seems contrary because using encryption for authentication is typically preferred.
However, when using the shared encryption key feature, the challenge text is
sent in clear text. This could help an unauthorized party calculate the shared
secret key using the encrypted version of the same text. So ironically, using the
default OPEN authentication actually reduces the possibility of an unauthorized
party discovering your WEP encryption key.
7. Use Remote Authentication Dial-In User Service, which can be built into an
access point or provided via a separate server. RADIUS is an additional
authentication step. Interface this authentication server to a user database to
ensure that the requesting user is authorized.
8. Force 30-minute reauthentication for all users.
How to mitigate:
1. Encrypt all traffic over the WLAN. There are a variety of methods to select
from:
o Use application encryption such as Pretty Good Privacy, Secure Shell
(SSH) or Secure Sockets Layer.
o Enable WEP, an encryption method that's intended to give wireless users
security equivalent to being on a wired network but that has been proved
to be insecure (its RC4 stream cipher, which is used to encrypt the data,
has been cracked). Both 40- and 128-bit keys have been cracked -- the
128-bit encryption only prolongs the cracking process. Despite its
weaknesses, the WEP security that's built into wireless LANs can delay
an unauthorized user's intrusion or possibly prevent a novice hacker's
attacks entirely. (Note: The WEP factory default is OFF.)
o Require the use of a VPN running at least FIPS-141 triple Data
Encryption Standard and encrypting all traffic, not only the ID and
password. Segment all wireless network traffic behind a firewall and
configure each client with a VPN client to tunnel the data to a VPN
concentrator on the wired network. Configure so users communicate only
with the VPN concentration point. Evaluate the following features when
purchasing VPN technologies: interoperability with existing infrastructure,
support for a wireless and dial-up networking, packet-filtering or stateful-
inspection firewall, automatic security updates and a centralized
management console.
2. Implement two-factor authentication scheme using access tokens for users
accessing critical infrastructure.
3. Utilize 802.11x for key management and authentication standards.
4. Use Extensible Authentication Protocols.
5. Activate the Broadcast Key Rotation functionality. Set a specific amount of time
(usually 10 minutes or less) on the access point; each time the counter runs out,
the access point broadcasts a new WEP key, encrypting it with the old, thus
reducing the amount of time available to crack the key.
6. Restrict LAN access rights by role.
Capacity is shared between all the users associated with an access point, and
since load balancing doesn't exist on access points, network performance can be
improved dramatically if the appropriate number of access points are available to
users.
Frequently, unauthorized users' intentions are to steal bandwidth rather than view
and alter the data passing along the wireless network. Therefore, these
unauthorized users can significantly reduce network performance for authorized
users. Finally, DoS attack can disable or disrupt your operations. A DoS doesn't
have to be intentional. For example, users can transfer large files that can cause
a network outage.
Another unintentional DoS can occur when legitimate traffic uses the same radio
channel. Conversely, a DoS can also be an intentional overflow, such as a ping
flood to intentionally cause network disruptions.
How to mitigate:
Because wireless networks are insecure, they're prone to attacks. Such attacks
can include spreading viruses, loss of confidentiality and data integrity, data
extraction without detection, privacy violations and identity theft.
How to mitigate:
Wireless 802.11 networks don't authenticate frames, which may result in frames
being altered, authorized sessions being hijacked or authentication credentials
being stolen by an imposter. Therefore, the data contained within their frames
can't be assured to be authentic, since there's no protection against forgery of
frame source addresses.
How to mitigate:
1. Limit access to specific MAC addresses that are filtered via a firewall. This
technique isn't completely secure, because MAC addresses can be duped, but it
does improve the overall security strategy. Another difficulty with this technique is
the maintenance effort required. A MAC address is tied to a hardware device, so
every time an authorized device is added to or removed from the network, the
MAC address has to be registered into the database.
2. Monitor logs weekly and scan critical host logs daily.
3. Use proven data link layer cryptography such as SSH, Transport-Level Security
or IPsec.
Commonly used wireless and handheld devices such as PDAs, laptops and
access points are easy to lose or to steal because of their small size and
portability. In the event of a theft, the unauthorized party can compromise such
devices to obtain proprietary information about your wireless network
configuration.
How to mitigate:
Conclusion
After examining just a few risks associated with WLANs, their high-risk nature
becomes quite evident.
0 of 30 secondsVolume 0%
Overall, the greatest weakness with wireless security isn't the technical
shortcomings but out-of-the-box insecure installations. This risk can be overcome
with attention to detail. But remember that the human factor is the weakest link
and that this risk needs to be considered when appointing a network
administrator and funding suitable review procedures.