Guide to Wireless LAN Security
Fitting the WLAN Security pieces togetherBy Lisa Phifer
Creating a secure enterprise WLAN can sometimes feel like assembling a complex jigsaw puzzle – in the dark. When it comes to security, wireless APs and adapters inter-lock in ways that are obvious. But relationships and dependencies between other WLAN pieces can be perplexing, even elusive. This article discusses what security capabilities can you expect from enterprise WLAN products, and how those measures can dovetail with the rest of your network infrastructure.
Forewarned is forearmed
When preparing to deploy a new WLAN or undertake a major upgrade, security should be baked into your design. The survey and modeling tools used to plan your WLAN can play a significant role in creating a secure solution.
Portable discovery tools (stumblers) and site survey programs from vendors like AirMagnet and Berkeley Varitronics measure RF behavior at the target site and map results on floorplans. During this process, you will not only position your own APs, but find existing neighbor APs and sources of RF interference. Such programs may export authorized/unauthorized device lists and floorplans for import by WLAN Analyzers and Wireless IPS systems.
Planning programs from vendors like Ekahau and AirTight Networks often use survey results to predict the capacity and performance of a proposed WLAN design. This is also an opportunity to reduce risky RF leakage into public areas and adjacent offices. Look for planners that not only display coverage heatmaps, but suggest ways to avoid unnecessary exposure by relocating APs, adding antennas, or adjusting transmit power.
Building a solid foundation
802.11 security capabilities built into APs and adapters have a clear impact on over-the-air data protection. For most enterprises, that means choosing equipment that supports WPA2-Enterprise (AES encryption, 802.1X port access control, RADIUS authentication). But WLAN security doesn't stop there.
Examine distribution of security functionality between your WLAN controller and APs. For example, enterprises with latency-sensitive applications may need controller-based fast roaming features (things like key caching and pre-authentication) – but these can only be used within single-vendor WLANs.
If your wired network is already segmented by a VLAN, you will need APs that support 802.1Q VLAN tagging and perhaps RFC 3580 (802.1X-based tagging.) If not, insulate your wired network from wireless intruders by placing APs outside a firewall or VPN gateway.
When using 802.1X, your APs (or perhaps your controller) must speak RADIUS to your authentication server, which in turn interfaces with your user directory and database (e.g., Microsoft's Active Directory). Consider both security and availability when deciding how to relay WLAN access requests between these systems.
For visitors, you might allow unfiltered Internet access, use your controller's captive portal, or redirect guests to an existing portal inside your wired LAN. Be sure to compartmentalize guest traffic inside your network – for example, by mapping a "guest" SSID onto its own VLAN.
The biggest deployment challenge is usually client software installation, configuration, and maintenance. On managed client devices, you must deploy 802.1X Supplicants (or, for those who prefer IPsec, VPN clients). Conventional desktop management tools can help here. But installing client software may not be feasible on visitor or embedded devices.
Keeping your eye on the ball
After deployment, WLANs require maintenance and monitoring. Here, your network and system management tools can play an important role in security. For example, controllers can push AP firmware to quickly apply security patches, while AD Group Policy Objects can ensure that WLAN connections comply with security policy.
For security monitoring, some enterprises rely on WLAN infrastructure capabilities – for example, using controller reports to document usage or flag rogue APs. If you need more visibility, deploy a Wireless IPS (WIPS).
An overlay WIPS uses a purpose-built server to analyze observations gathered by dedicated sensors, feeding alerts to a dashboard, database, and upstream Network Management System. An embedded WIPS is (to some degree) integrated with WLAN infrastructure – for example, APs placed into monitor-only mode.
As link security improves, more attacks are taking advantage of lax client settings and user attraction to unknown APs. These risks can be addressed by deploying another piece of client software: a host-resident WIPS agent. Available from vendors like AirDefense and AirTight Networks, these agents can be used alone (alerting users directly) or in conjunction with a WIPS server (forwarding alerts to a central system).
When incidents occur, WLAN protocol analyzers and RF spectrum analyzers can be used to investigate and respond. Although most analyzers are portable, running on laptops or PDAs, some WIPS can temporarily turn a sensor or AP into a remote analyzer. This is done by connecting to a sensor or AP from a WIPS console, then tuning it to a specified channel to capture remote traffic for analysis at the central site.
During incident response, you may implement stop-loss actions or long-term resolutions. To automate the former, you can use a WIPS to break wireless associations and stop traffic from entering the wired network. A WIPS can also assist with the latter by estimating an intruder's location. In the end, you will probably have to send someone on-site with a portable analyzer to find and physically remove the intruder.
Top 5 Questions for WLAN Security VendorsBy Lisa Phifer
Many companies that have dabbled in Wi-Fi for best-effort Internet and email are ready to turn the crank on pervasive enterprise WLANs to support mission-critical applications. During this expansion, security will be crucial. What questions should enterprises ask of perspective WLAN security vendors?
#1: Are you ready for 802.11n?
From site survey and planning to WLAN analysis and Wireless IPS, most security products will require software updates and/or hardware upgrades for 802.11n. Today, ask about features for modeling, detecting, and decoding both pre-N and 802.11n draft 2.0 protocols. Next year, those features will require update to align with the final 802.11n standard. When it comes to security, blind spots are unacceptable. A security product that cannot see what an 802.11n AP or station is doing puts your network at risk.
#2: How do you secure VoFi and multimedia traffic?
WLAN equipment is being scaled and refined to support the stringent demands of voice and multimedia. Security and performance are often pitted against one another, and minor annoyances for data will quickly become show stoppers for latency-sensitive or high-throughput applications. Enterprises should ask WLAN vendors how they secure such applications, and the impact of various security settings on capacity and quality. WLAN planning systems must be able to consider these application needs, while WLAN analysis and IPS will need to offer meaningful interpretation, like the ability to differentiate between basic interference and targeted VoFi attacks.
#3: Do you have a knack for NAC?
Network Access Control (NAC) is poised to take enterprise networks by storm, with broad impact on both wired and wireless LANs. Fortunately, most wireless APs can use 802.1X to fit nicely into any flavor of NAC. But don't make assumptions. Enterprises should ask WLAN vendors how the APs and controllers they buy can be plugged into existing Cisco/Microsoft/TCG architectures. Look for capabilities like policy-based virtual APs, wireless isolation of unknown/infected clients, and 802.1X/VLAN mapping. Also ask about VLAN support in WLAN analyzers and IPS, and integration between Host WIPS agents and NAC agents.
#4: Security vs. scalability
As WLANs grow, tasks that were once practical and feasible will quickly become onerous, even impossible. Scalability certainly applies to WLAN security tools. Ask about WLAN planning and automation features that help minimize time-consuming site surveys. Inquire about WIPS capacity and reliability in large, distributed networks with hundreds of sites and thousands of APs. For example, deauthenticate-based blocking will have a tough time scaling without saturating the affected channels and sensors. In a large WLAN, diagnosing interference through ad hoc, on-site sampling simply won't cut it – ask about WIPS-integrated spectrum analysis.
When it comes to total cost of WLAN ownership, task automation and process integration are key. Pinching pennies on less-capable security platforms could end up costing a bundle by requiring on-site staff and tools for investigation and remediation. Look for role and regional delegation of WLAN security administration, monitoring, and reporting tools. Ask about centrally-initiated investigative aids, like the ability to use a remote sensor for traffic capture. Finally, look for opportunities to leverage existing security management infrastructure, like integration between WLAN authentication and Identity Management systems, or between WLAN alerts and Security Event Management Systems (SEMS).
Making enterprise WLANs safe for prime-time
By Lisa Phifer
Just as 802.11-based WLAN infrastructure products have grown up, WLAN security has had to mature as well.
"Enterprises have finally calmed down and are beginning to realize that WPA/WPA2 does give them the basic authentication and encryption they need," said Joel M Snyder, Senior Partner, Opus One. In late 2002,Wi-Fi Protected Access (WPA) enabled legacy device upgrades by simply patching around WEP cracking flaws. Two years later, version 2 (WPA2) lets new devices employ a stronger, more efficient cipher, AES.
But many are starting to panic about new security concerns. "How do we take this reliable, authenticated channel and properly integrate it into our network," asks Snyder. "Issues like Denial of Service, reliability, throughput, and management are notching the security discussion up to look at the bigger – and honestly, much more difficult – picture."
Putting the basics to bed
In her 2007 WLAN State of the Market study, researcher Joanie Wexler found that security remains the top barrier to enterprise WLAN expansion. "Fifty-two percent of respondents chose security as one of their two biggest challenges," said Wexler. At 24 percent, the next biggest challenge was WLAN reliability/stability due to unlicensed spectrum.
According to Wexler, WPA2 use spiked from 22 percent in 2005 to 38 percent in 2006, but held steady last year. "Perhaps the reason for stagnation is that 36 percent still use VPNs over wireless [connections]," explained Wexler. "And many retailers and manufacturers using legacy handhelds can't upgrade to WPA2 because of memory and processing constraints."
Burton Group Senior Analyst Paul DeBeasi predicts that enterprises will continue to use outdated security. "I frequently hear from enterprises that use WEP. They know that WEP is not secure, but inertia, upgrade cost, and complexity create roadblocks that they can't seem to navigate," said DeBeasi. "Enterprises need to be reminded that [WEP] significantly increases vulnerability."
Going farther, faster
Farpoint Group Principal Craig Mathias believes that "WPA2 is all that is going to matter as .11n adapters come on line." Interim measures like WPA were created to grandfather less capable WEP devices. 802.11n reach and speed may offer sufficient motivation to finally retire old gear. In fact, 802.11n products cannot pass Wi-Fi certification without WPA2.
DeBeasi thinks that 802.11n will shine a spotlight on networks with weak security. "802.11n will drive pervasive mobility in the enterprise," he said. "As wireless spreads, networks with weak security (e.g., using WEP, no WIPS) will become increasingly vulnerable. When enterprises deploy 802.11n, they should use that opportunity to strengthen their security."
Wireless IPS is a widely-accepted best practice for managing the business risk introduced by wireless. WIPS provides full-time, distributed monitoring of all Wi-Fi traffic, responding automatically to detected intrusions and policy violations. Gartner projected this market would double last year, following in the footsteps of enterprise WLAN deployment.
But experts noted a shift in WIPS architecture this year. "The top security trend that I see is the merging of WLAN infrastructure, management systems, and WIPS into a tightly-integrated system, either within or between vendors," said Devin Akin, Chief Technology Officer of The CWNP Program, the popular certification test series for wireless professionals.
Indeed, partnerships have grown between enterprise WLAN and WIPS vendors. For example, AirTight SpectraGuard has been paired with gear from 3Com, Cisco, Colubris Networks, Extreme Networks, Siemens, Extricom, LVL7, NextHop, and Ruckus Wireless. Similar relationships exist between other WLAN and WIPS vendors: AirDefense partners with Motorola, Nortel, Trapeze, and Enterasys, while AirMagnet partners with Aruba and Divitas.
But DeBeasi predicts that overlay WIPS will be marginalized by WLAN vendors that offer embedded WIPS. "Aruba's purchase of Network Chemistry will accelerate this trend," predicted DeBeasi. "Aruba and Cisco will integrate sensors into their APs and enhance their WIPS software. Air Defense and AirTight are between a rock and a hard place as [WLAN] vendors provide [embedded WIPS capabilities as] more cost effective substitutes."
Whether overlay or embedded, availability and reliability concerns will also drive expansion of enterprise WIPS products. "The second most prevalent trend that I see is the addition of physical layer monitoring to link layer WIPS," said Akin.
Enterprise WIPS can currently draw attention to security violations and performance problems. However, sensors and APs are 802.11 devices – they can only hear 802.11 traffic. Unfortunately, many DoS "attacks" reported by WIPS turn out to be caused by non-malicious competition for the over-crowded 2.4 and 5 GHz bands.
Spectrum analyzers look beyond 802.11, however, assessing the source and impact of all transmissions at the frequencies used by enterprise WLANs. Because interference can be sporadic, integrating spectrum analysis into both WLAN planning and on-going monitoring systems makes sense. For example, Cognio's Spectrum Expert has been integrated into AirMagnet Enterprise WIPS, while MetaGeek Wi-Spy pairs with planning systems from Ekahau and VisiWave.
Finally, Mathias emphasizes that WLAN security by itself isn't sufficient. "We've made excellent progress with WPA2, [but it] only secures a tiny piece of the overall value chain," he said. "I recommend strong authentication with any mobile device and sensitive data stored on it, with similar authentication and encryption at the [destination server]."
Mathias predicts that mobility-enabled VPNs (like those now offered by Columbitech, IBM, and NetMotion) will be used to secure both WLANs and WWANs. "Even though all of the major [WWAN] technologies support encryption and authentication, the enterprise should have control of information security, not the carrier," said Matthias. "This is going to become very important with converged solutions, which are the next big direction for wireless."
Why is wireless still insecure?
You may think your mobile workers are safe with their new wireless notebooks, but some WLAN tracking conducted at the RSA security conference earlier this year showed a multitude of vulnerabilities, new attack patterns from hackers and critical data leaks that would shake even the most confident security manager. Network World's Keith Shaw talks with Richard Rushing, chief security officer at AirDefense, which conducted the WLAN monitoring at the show. If you support mobile devices for your road warriors, or if you want to hear about the latest ways that hackers are tricking mobile users into unknowingly giving them data, listen to this podcast (21:52).