https://www.computerworld.

com/article/2573986/best-practices-for-wireless-network-
security.html

Best Practices for Wireless Network Security

Wireless technology is dramatically changing the world of computing, creating

new business opportunities but also increasing security risks.

Wireless LANs, which use radio frequencies to broadcast in the unlicensed 2.4-
GHz frequency band, can be as simple as two computers equipped with wireless
network interface cards or as complex as hundreds of computers outfitted with
cards communicating through access points. They're relatively inexpensive and
easy to install.

But they also introduce a number of critical security risks and challenges, and it's
important to implement strong security measures to mitigate these risks. What
follows are potential risks and associated best practices to help you secure your
network and understand WLAN characteristics:

[ Keep up on the latest thought leadership, insights, how-to, and analysis on IT

through Computerworld’s newsletters. ]

Risk No. 1: Insufficient policies, training and awareness

0 of 30 secondsVolume 0%
 
Though establishing policies to govern wireless networks would appear to be a
basic requirement, institutions often fail to take this step or to inform employees
of the risks associated with not using a wireless network in accordance with the
policies. Once policies are implemented, it's critical to communicate them to
increase users' awareness and understanding.

How to mitigate:

Develop institutionwide policies with detailed procedures regarding wireless

devices and usage. Maintain these policies and procedures to keep current with
technology and trends. While each institution will have specific requirements, at a
minimum require the registration of all WLANs as part of overall security strategy.
And because a policy isn't effective if users aren't in compliance, monitor the
network to ensure that users are following the policy as intended.
[ REGISTER NOW for June 22, in-person event, FutureIT Chicago: Building the
Digital Business with Cloud, AI and Security ]

Conduct regular security awareness and training sessions for both systems
administrators and users. It's important to keep systems administrators informed
of technical advances and protocols, but it's equally important for users to
understand the reasons for the protocols. An educated user will more likely be a
compliant one, without as much protest. These education sessions should stress
the importance of vigilance.

Risk No. 2: Access constraints

Wireless access points repeatedly send out signals to announce themselves so

that users can find them to initiate connectivity. This signal transmission occurs
when 802.11 beacon frames containing the access points' Service Set Identifier
are sent unencrypted. (SSIDs are names or descriptions used to differentiate
networks from one another.) This could make it easy for unauthorized users to
learn the network name and attempt an attack or intrusion.

How to mitigate:

1. Enable available security features. Embedded security features are disabled by

default.
2. Change the default settings. Default SSIDs are set by the manufacturer. For
example, Cisco's default SSID is "tsunami," and Linksys' is "linksys." Not
changing these makes it easier for an unauthorized user to gain access. Define a
complex SSID naming convention. Don't change the SSID to reflect identifiable
information, since this too could make it easy for an unauthorized user to gain
access. Instead, use long, nonmeaningful strings of characters, including letters,
numbers and symbols.
3. Disable Dynamic Host Configuration Protocol and use static IP addresses
instead. Using DHCP automatically provides an IP address to anyone, authorized
or not, attempting to gain access to your wireless network, again making it just
that much easier for unauthorized penetration.
4. Move or encrypt the SSID and the Wired Equivalent Privacy (WEP) key that are
typically stored in the Windows registry file. Moving these privileged files makes it
more difficult for a hacker to acquire privileged information. This step could either
prevent an unauthorized intrusion or delay the intrusion until detection occurs.

5. Use a closed network. With a closed network, users type the SSID into the
client application instead of selecting the SSID from a list. This feature
makes it slightly more difficult for the user to gain access, but education on
this risk-mitigation strategy can reduce potential resistance. 

To gain maximum advantage of a closed network, change the SSID regularly so

that terminated employees can't gain access to the network. Develop and
implement an SSID management process to change the SSID regularly and to
inform authorized employees of the new SSID.
 6. Track employees who have WLANs at home or at a remote site. Require that
wireless networks are placed behind the main routed interface so the institution
can shut them off if necessary. If WLANs are being used at home, require
specific security configurations, including encryption and virtual private network
(VPN) tunneling.

Risk No. 3: Rogue access points

Rogue access points are those installed by users without coordinating with IT.
Because access points are inexpensive and easy to install, rogue installations
are becoming more common.

Rogue access points are often poorly configured and might permit traffic that can
be hard for intrusion-detection software to pinpoint.

How to mitigate:

1. Conduct extensive site surveys regularly to determine the location of all access
points. Ensure that access points aren't near interfering appliances such as
microwave ovens, electrical conduits, elevators or furniture.
2. Plan for access-point coverage to radiate out toward windows, but not beyond.
3. Provide directional antennas for wireless devices to better contain and control the
radio frequency array and thus prevent unauthorized access.
4. Purchase access points that have "flashable" firmware only, to allow users to
install security patches and upgrades in future releases.
5. Disable Simple Network Management Protocol community passwords on all
access points. SNMP is used as an access-point management mechanism, and
while it offers operational efficiencies, it increases the risk of security breaches.
6. Set Authentication method to OPEN rather than to shared encryption key. This
seems contrary because using encryption for authentication is typically preferred.
However, when using the shared encryption key feature, the challenge text is
sent in clear text. This could help an unauthorized party calculate the shared
secret key using the encrypted version of the same text. So ironically, using the
default OPEN authentication actually reduces the possibility of an unauthorized
party discovering your WEP encryption key.
7. Use Remote Authentication Dial-In User Service, which can be built into an
access point or provided via a separate server. RADIUS is an additional
authentication step. Interface this authentication server to a user database to
ensure that the requesting user is authorized.
8. Force 30-minute reauthentication for all users.

Risk No. 4: Traffic analysis and eavesdropping

Without actually gaining access to the network, unauthorized parties can

passively capture the confidential data traversing the network via airwaves and
can easily read it because it's sent in clear text. So an attacker could alter a
legitimate message by deleting, adding to, changing or reordering the message.
Or the attacker could monitor transmissions and retransmit messages as a
legitimate user.
By default, WLANs send unencrypted or poorly encrypted messages using WEP
over the airwaves that can be easily intercepted and/or altered. Currently,
wireless networks are beset by weak 802.11x Access Control Mechanisms,
resulting in weak message authentication.

How to mitigate:

1. Encrypt all traffic over the WLAN. There are a variety of methods to select
from:
o Use application encryption such as Pretty Good Privacy, Secure Shell
(SSH) or Secure Sockets Layer.
o Enable WEP, an encryption method that's intended to give wireless users
security equivalent to being on a wired network but that has been proved
to be insecure (its RC4 stream cipher, which is used to encrypt the data,
has been cracked). Both 40- and 128-bit keys have been cracked -- the
128-bit encryption only prolongs the cracking process. Despite its
weaknesses, the WEP security that's built into wireless LANs can delay
an unauthorized user's intrusion or possibly prevent a novice hacker's
attacks entirely. (Note: The WEP factory default is OFF.)
o Require the use of a VPN running at least FIPS-141 triple Data
Encryption Standard and encrypting all traffic, not only the ID and
password. Segment all wireless network traffic behind a firewall and
configure each client with a VPN client to tunnel the data to a VPN
concentrator on the wired network. Configure so users communicate only
with the VPN concentration point. Evaluate the following features when
purchasing VPN technologies: interoperability with existing infrastructure,
support for a wireless and dial-up networking, packet-filtering or stateful-
inspection firewall, automatic security updates and a centralized
management console.
2. Implement two-factor authentication scheme using access tokens for users
accessing critical infrastructure.
3. Utilize 802.11x for key management and authentication standards.
4. Use Extensible Authentication Protocols.
5. Activate the Broadcast Key Rotation functionality. Set a specific amount of time
(usually 10 minutes or less) on the access point; each time the counter runs out,
the access point broadcasts a new WEP key, encrypting it with the old, thus
reducing the amount of time available to crack the key.
6. Restrict LAN access rights by role.

Risk No. 5: Insufficient network performance

Wireless LANs have limited transmission capacity. Networks based on 802.11b

have a bit rate of 11Mbit/sec. while networks based on 802.11a have a bit rate of
54Mbit/sec. Media Access Control overhead alone consumes roughly half of the
normal bit rate.

Capacity is shared between all the users associated with an access point, and
since load balancing doesn't exist on access points, network performance can be
improved dramatically if the appropriate number of access points are available to
users.

Frequently, unauthorized users' intentions are to steal bandwidth rather than view
and alter the data passing along the wireless network. Therefore, these
unauthorized users can significantly reduce network performance for authorized
users. Finally, DoS attack can disable or disrupt your operations. A DoS doesn't
have to be intentional. For example, users can transfer large files that can cause
a network outage.

Another unintentional DoS can occur when legitimate traffic uses the same radio
channel. Conversely, a DoS can also be an intentional overflow, such as a ping
flood to intentionally cause network disruptions.

How to mitigate:

1. Continually monitor network performance and investigate any anomalies

immediately.
2. Segment the access point's coverage areas to reduce the number of people
using each access point.
3. Apply a traffic-shaping solution to allow administrators to proactively manage
traffic rather than react to irregularities.

Risk No. 6: Hacker attacks

Because wireless networks are insecure, they're prone to attacks. Such attacks
can include spreading viruses, loss of confidentiality and data integrity, data
extraction without detection, privacy violations and identity theft.

How to mitigate:

1. Deploy a network-based intrusion-detection system on the wireless network;

review logs weekly.
2. Use and maintain antivirus software. Push out antivirus software upgrades to
clients from servers.
3. Create frequent backups of data and perform periodic restorations.

Risk No. 7: MAC spoofing/session hijacking

Wireless 802.11 networks don't authenticate frames, which may result in frames
being altered, authorized sessions being hijacked or authentication credentials
being stolen by an imposter. Therefore, the data contained within their frames
can't be assured to be authentic, since there's no protection against forgery of
frame source addresses.

Because attackers can observe Media Access Control addresses of stations in

use on the network, they can adopt those addresses for malicious transmission.
Finally, station addresses, not the users themselves, are identified. That's not a
strong authentication technique, and it can be compromised by an unauthorized
party.

How to mitigate:

1. Limit access to specific MAC addresses that are filtered via a firewall. This
technique isn't completely secure, because MAC addresses can be duped, but it
does improve the overall security strategy. Another difficulty with this technique is
the maintenance effort required. A MAC address is tied to a hardware device, so
every time an authorized device is added to or removed from the network, the
MAC address has to be registered into the database.
2. Monitor logs weekly and scan critical host logs daily.
3. Use proven data link layer cryptography such as SSH, Transport-Level Security
or IPsec.

Risk No. 8: Physical security deficiencies

Commonly used wireless and handheld devices such as PDAs, laptops and
access points are easy to lose or to steal because of their small size and
portability. In the event of a theft, the unauthorized party can compromise such
devices to obtain proprietary information about your wireless network
configuration.

How to mitigate:

1. Implement strong physical security controls, including barriers and guards

to prevent the theft of equipment and unauthorized access.
2. Label and maintain inventories of all fielded wireless and handheld
devices.
3. Use device-independent authentication so that lost or stolen devices can't
gain access to the WLAN.

Conclusion

After examining just a few risks associated with WLANs, their high-risk nature
becomes quite evident.

To moderate risks, management and systems administrators must perform

ongoing risk assessments to ensure not just that they understand the risks that
they face, but that they also take appropriate steps to mitigate the risks.

0 of 30 secondsVolume 0%
 
Overall, the greatest weakness with wireless security isn't the technical
shortcomings but out-of-the-box insecure installations. This risk can be overcome
with attention to detail. But remember that the human factor is the weakest link
and that this risk needs to be considered when appointing a network
administrator and funding suitable review procedures.

In optimistic summary, risk provides opportunity that just needs to be managed.

It's an inspiration for progress and should be a welcome challenge, as long as it's
given the proper consideration.

Printed with permission. Copyright 2004, Information Systems Control Journal,

Information Systems Audit and Control Association® (ISACA®), Rolling
Meadows, IL, USA.