Meet the challenge of WLan security

Security: Wireless local area networks provide a unique challenge for IT when it comes to security. But following common best practices can help prevent breaches

According to a survey by Forrester Research, 63% of US companies use in-house wireless local area networks (WLans) to provide access to corporate applications and networks. In Europe too, WLans are becoming a standard part of most enterprise networks.

Previously restricted to meeting rooms, one-off events and guest areas, WLans are being used to provide access to the corporate network throughout the enterprise because of the improved productivity and flexibility they offer through mobile working.

However, any discussion of WLans cannot avoid the issue of security. A wireless network requires packets of data to travel through the air, making them prone to interception. Such breaches lead to theft of sensitive corporate data and can also result in a loss of trust in the safety of the corporate network and are likely to attract unwanted and damaging attention.

There are a number of wireless security threats: rogue access points masquerading as part of the network, the use of unauthorised devices and denial of service attacks.

One reason for WLan security breaches is a lack of awareness from end-users. Companies can install the latest and most expensive security systems, but these will be only as strong as the weakest link - often the end-user.

That said, wireless security should not complicate the way users work - but they do need to be protected from viruses and attacks.

According to research from analyst firm Gartner, 90% of WLan security incidents until 2010 will be the result of misconfigured systems.

"Common security best practices for all WLans are those that reduce the potential vulnerabilities of the basic characteristics of Wi-Fi systems," says John Girard, vice-president distinguished analyst for Gartner's Info Security and Privacy Research Centre.

Girard, author of a series of white papers on best practice in Wi-Fi security, splits these practices into three parts: overall planning, access points and client systems.

Overall planning requires IT directors to determine the requirements and policy for Wi-Fi use before any equipment is purchased.

"The best Wi-Fi architecture from a security point of view uses centrally controlled, coordinated access points that lack the programmability to be individually hacked. This approach should be the starting point," says Girard.

Another issue to consider at the planning stage is the positioning of wireless access points to minimise the Wi-Fi coverage area outside of the building - and thus minimise the ability of a nearby hacker to connect to the network and access corporate data.

The second practice involves managing wireless access points once the network is installed. A range of suppliers now build security capabilities into their WLan systems, with most providing security through the 802.x range of standards, as well as encryption, authentication, intrusion protection and "end point integrity". This refers to functions such as anti-virus, anti-spyware and personal firewall software.

A report from ABI Research in December 2006 ranked the leading WLan security suppliers in the following order: Trapeze Networks, Aruba Networks, Nortel, Cisco, Bluesocket, Alcatel-Lucent, Extreme Networks, Meru Networks, Xirrus and Symbol Technologies.

However, each supplier offers a mix of unique systems and expertise, so ABI warns that any company purchasing WLan equipment must perform in-depth research to ensure the most appropriate system for the location, function and level of security required.

One of the simplest, but most important, tasks in buying wireless access point equipment is to change the default configurations, which are often widely published on the internet. Buying an access point and turning it on without making any changes to the default settings offers hackers immediate access to the corporate network.

At the same time, it is a common myth that wireless access points have to "broadcast" their presence to make it possible for users and devices to find them.

The only effect broadcasting has is to advertise the presence of a network to external threats, says Phil Cracknell, senior analyst for information security at Deloitte, and UK president of the Information Systems Security Association (ISSA).

"It is a complete myth that if a business supports a wireless network it needs to be broadcast otherwise clients will not know it is there. All it means is that casual users and hackers know it is there. Broadcast does not need to be on, so all businesses should turn it off straight away," he says.

If broadcast is turned off, authorised devices need to be provided with the access point address or service set identifier (SSID) to connect to the network.

Of course, there is still a security risk, but turning off broadcasting is likely to deter any casual attempts to access the network, as it would require more sophisticated and time-consuming techniques to hack.

"Another method for protecting access is to keep a pre-defined list of authorised access points and devices - that is network interface cards - and configure the system to allow access only to devices on that list. It requires keeping an up-to-date list of users and laptop cards, but that is not a large price to pay," says Cracknell.

Man in the middle attacks and unauthorised access points set up by employees are also common security threats to wireless access points.

Man in the middle attacks use a strong Wi-Fi signal located nearby to overwhelm the signal from the corporate wireless access point and thus "steal" the device connection. Once connected to this rogue access point, the unaware user is likely to reveal login or corporate data.

A second threat comes from employees setting up their own access points - small base stations can be bought from retailers at little cost - which can become absorbed into the corporate network.

This may occur for malicious reasons, but is more likely to be the result of an enterprising employee wanting to use their own Wi-Fi-enabled laptop in the office, or to improve flexibility in a branch office.

According to David Perry, principal analyst at IT research house Freeform Dynamics, both threats can easily be solved by using tools that monitor authorised wireless access points - in a similar fashion to network access control (NAC).

"In terms of man in the middle attacks there are tools available, for example from Cisco, that monitor the radio frequency profile and load balancing of a wireless network, which show what a corporate wireless hotspot should look like. It helps the IT director recognise any unauthorised radio signals within the hotspot.

"There are also widely available tools that recognise an unauthorised wireless access point and either sound an alarm or block access to the network," says Perry.

When it comes to Girard's third practice of client systems, one of the best unilateral defences against attacks is to block or quarantine Lan attachments of unwanted devices. "Network access control will help to block unauthorised access points and unauthorised work stations from inappropriate access," says Girard.

Of course, when it comes to network access and security, encryption and authorisation are a vital component in the CIO's armoury.

Girard recommends that enterprises migrate to Wi-Fi Protected Access 2 (WPA2) compatible devices, such as WLan network interface cards, wireless drivers, supplicants, and access points on all new purchases as soon as possible.

The original wireless security standard, Wired Equivalent Privacy (Wep) offered different degrees of encryption, such as 64-bit and 128-bit. However, it is now widely acknowledged as having serious security flaws.

Although someone walking by with a wireless adapter may be discouraged by the wireless network using an encrypted data stream, a determined hacker needs only a few hours to read enough wireless packets to generate the required Wep key to gain access to the network.

Tools such as Airsnort and Wepcrack also make this job easy for hackers by passively listening to wireless traffic. Once they acquire between five and 10 million packets, they can guess the encryption password immediately.

WPA2, however, dynamically changes keys so that by the time a hacker has intercepted enough wireless packets to guess the key, the key has already changed a number of times.

Guest access and employees using their home wireless networks to access the corporate network bring unique challenges which are best overcome by the use of virtual Lan (VLan) tunnels to route users to a point outside the firewall, says Girard.

"Guest users should be directed to the internet, where they can use virtual private networks (VPNs) to connect back to their company portals. This option will also work with the company's own employees who are not registered for direct access to the Lan," says Girard.

A smart approach to WLan security >>


WEP report >>

Wireless kit must be secure 'out of the box', say experts >>

Wireless security: IT pros warily watching mobile phone threats >>

Effective wireless security is available, but holes exist >>

Comment on this article: [email protected]

Read more on Wireless networking