Fitting the WLAN Security pieces togetherBy Lisa Phifer
Creating a secure enterprise WLAN can sometimes feel like assembling a complex jigsaw puzzle – in the dark. When it comes to security, wireless APs and adapters inter-lock in ways that are obvious. But relationships and dependencies between other WLAN pieces can be perplexing, even elusive. This article discusses what security capabilities can you expect from enterprise WLAN products, and how those measures can dovetail with the rest of your network infrastructure.
Forewarned is forearmed
When preparing to deploy a new WLAN or undertake a major upgrade, security should be baked into your design. The survey and modeling tools used to plan your WLAN can play a significant role in creating a secure solution.
Portable discovery tools (stumblers) and site survey programs from vendors like AirMagnet and Berkeley Varitronics measure RF behavior at the target site and map results on floorplans. During this process, you will not only position your own APs, but find existing neighbor APs and sources of RF interference. Such programs may export authorized/unauthorized device lists and floorplans for import by WLAN Analyzers and Wireless IPS systems.
Planning programs from vendors like Ekahau and AirTight Networks often use survey results to predict the capacity and performance of a proposed WLAN design. This is also an opportunity to reduce risky RF leakage into public areas and adjacent offices. Look for planners that not only display coverage heatmaps, but suggest ways to avoid unnecessary exposure by relocating APs, adding antennas, or adjusting transmit power.
Building a solid foundation
802.11 security capabilities built into APs and adapters have a clear impact on over-the-air data protection. For most enterprises, that means choosing equipment that supports WPA2-Enterprise (AES encryption, 802.1X port access control, RADIUS authentication). But WLAN security doesn't stop there.
Examine distribution of security functionality between your WLAN controller and APs. For example, enterprises with latency-sensitive applications may need controller-based fast roaming features (things like key caching and pre-authentication) – but these can only be used within single-vendor WLANs.
If your wired network is already segmented by a VLAN, you will need APs that support 802.1Q VLAN tagging and perhaps RFC 3580 (802.1X-based tagging.) If not, insulate your wired network from wireless intruders by placing APs outside a firewall or VPN gateway.
When using 802.1X, your APs (or perhaps your controller) must speak RADIUS to your authentication server, which in turn interfaces with your user directory and database (e.g., Microsoft's Active Directory). Consider both security and availability when deciding how to relay WLAN access requests between these systems.
For visitors, you might allow unfiltered Internet access, use your controller's captive portal, or redirect guests to an existing portal inside your wired LAN. Be sure to compartmentalize guest traffic inside your network – for example, by mapping a "guest" SSID onto its own VLAN.
The biggest deployment challenge is usually client software installation, configuration, and maintenance. On managed client devices, you must deploy 802.1X Supplicants (or, for those who prefer IPsec, VPN clients). Conventional desktop management tools can help here. But installing client software may not be feasible on visitor or embedded devices.
Keeping your eye on the ball
After deployment, WLANs require maintenance and monitoring. Here, your network and system management tools can play an important role in security. For example, controllers can push AP firmware to quickly apply security patches, while AD Group Policy Objects can ensure that WLAN connections comply with security policy.
For security monitoring, some enterprises rely on WLAN infrastructure capabilities – for example, using controller reports to document usage or flag rogue APs. If you need more visibility, deploy a Wireless IPS (WIPS).
An overlay WIPS uses a purpose-built server to analyze observations gathered by dedicated sensors, feeding alerts to a dashboard, database, and upstream Network Management System. An embedded WIPS is (to some degree) integrated with WLAN infrastructure – for example, APs placed into monitor-only mode.
As link security improves, more attacks are taking advantage of lax client settings and user attraction to unknown APs. These risks can be addressed by deploying another piece of client software: a host-resident WIPS agent. Available from vendors like AirDefense and AirTight Networks, these agents can be used alone (alerting users directly) or in conjunction with a WIPS server (forwarding alerts to a central system).
When incidents occur, WLAN protocol analyzers and RF spectrum analyzers can be used to investigate and respond. Although most analyzers are portable, running on laptops or PDAs, some WIPS can temporarily turn a sensor or AP into a remote analyzer. This is done by connecting to a sensor or AP from a WIPS console, then tuning it to a specified channel to capture remote traffic for analysis at the central site.
During incident response, you may implement stop-loss actions or long-term resolutions. To automate the former, you can use a WIPS to break wireless associations and stop traffic from entering the wired network. A WIPS can also assist with the latter by estimating an intruder's location. In the end, you will probably have to send someone on-site with a portable analyzer to find and physically remove the intruder.