Securing Wireless Networks
by Neil Anderson
Are Wireless Networks Vulnerable?
There has been considerable reporting and interest around the topic of wireless networks and the need to secure them. While there is reason to be concerned, it is also important to keep things in perspective. Of course, there have been some spectacular breaches of wireless networks. In every case, the root cause was demonstrated to be incomplete or inadequate wireless security implementations.
Consider this: wired networks and the Internet have been around for more than twenty years, and every day we learn more about securing them. Wireless networks have been mainstream for about five to seven years, and we know a lot more about how to secure them. In fact, there has probably been more effort placed towards securing wireless in the last few years than wired.
One factor that has led to such rapid advances in wireless network security is the openness with which the Wi-Fi community has approached the challenges. With each vulnerability identified, Wi-Fi standards forums and equipment providers quickly responded with improvements to close the holes. For example, when Wired Equivalent Privacy (WEP) was proven to be easily cracked, solutions evolved including Wi-Fi Protected Access (WPA), first released as early "patches" and later standardized by 802.11i. In fact, hacking wireless networks, or at least understanding how it may be done, is almost encouraged by the Wi-Fi community as a kind of continual self-improvement plan.
One thing that is widely overlooked when discussing wireless network security is the need for proximity. Corporate networks are regularly connected to the Internet: an always-on source of security attacks...from anywhere on the planet...at anytime...by anyone. The anonymity that the Internet provides offers an incredible Petri dish of potential launch points for attacks on corporate networks, and the nature of the Internet allows for attacks to be orchestrated from thousands of miles away. To contrast, wireless networks can only be hacked from within their direct proximity. A bank's Wi-Fi network in Kansas is not going to be hacked from Kenya, period.
So why does there continue to be reports of wireless network security breaches? Quite simply, the hacks occur on networks that have not implemented the already known best security practices. For example, a very large U.S. retailer recently had a breach of its network at its retail locations that resulted in the theft of several million credit card numbers and information. The root cause? The in-store Wi-Fi networks were secured only with WEP, a practice known to be vulnerable since 2001.
Steps to Securing Wireless Networks
So, how do we prevent security breaches from occurring on wireless networks? It is helpful to look at wireless security from three perspectives or three vulnerability points: the client accessing the network (such as a laptop), the wireless access (essentially the over-the-air radio waves), and the wireless network itself. Following the best practices in each of these "layers" of the wireless network is essential for implementing comprehensive security measures. We will look at all three in the following sections.
Securing the Wireless Client
An essential step in wireless security is locking down the client device used to access the wireless network. If a laptop or other endpoint is compromised, then the device can be used to gain entry into the network, regardless of other wireless security measures that may be in place. By the way, this is true whether a client is used to access the network over wireless or wired. Mobile clients, like laptops, are inherently used in some unfriendly places outside the corporate network, and can become infected with malicious software.
One way hackers have gained access to corporate wireless networks is to hack the laptop of an employee while they are sitting in an airport or coffee shop. There are a couple of well known attacks that can be launched at a wireless NIC, which can result in learning the corporate wireless security key.
Whether accessing a wired or wireless network, it is a best practice to implement host-based security on clients, including anti-virus and host intrusion protection such as Cisco Security Agent (CSA). With CSA, attempts to install software or execute harmful calls in the operating system can be intercepted and prevented.
Another important measure is to insure that clients accessing the network are "healthy," meaning that they have not been compromised, have the correct anti-virus software running, and are otherwise compliant with the company's security policy. Enforcement of all these measures can be difficult, but with Cisco Clean Access (CCA) solution, the wireless network can challenge endpoints to prove compliance and "health" before being permitted on the network.
Securing Wireless Communications
The next step to securing the wireless network (which is where most people start and often stop) is securing the actual wireless communications over the air between the client device and the wireless access point. There are two best practices to follow: authentication and encryption.
Authentication of wireless clients by the network insures that only authorized devices are allowed to join the wireless network. The best practice for authentication is to implement Extensible Authentication Protocol (EAP) and Flexible Authentication via Secure Tunnel (FAST). Using a set of credentials on the client device, the wireless network can authenticate the endpoint against the credentials stored in the corporate identity database. If a match is not achieved, access to the wireless network is denied. (Wired networks are implementing an equivalent technique via 802.1x.)
Just as important as the network authenticating a wireless client is for the wireless client to authenticate the network to which it is connecting. "Imposter" access points can be setup posing as legitimate corporate wireless network access points. If only the SSID is used to determine the network authenticity, this is trivial to imitate. The wireless client needs to use additional factors and credentials to authenticate that the access point it is trying to connect to is really a corporate network access point. This mutual authentication is also part of the EAP-FAST authentication process.
Once an endpoint is authenticated, the next critical security measure is to encrypt all communications between the client and the access point. The best practice is to implement Wi-Fi Protected Access (WPA). Whereas previous encryption techniques including WEP have proven vulnerable to hacks, WPA is far more secure and implements specific measures to thwart all known attacks on WEP.
WPA was further improved by the addition of the Advanced Encryption Standard (AES), which when added to WPA is often called WPA2. It is highly recommended to use WPA2 if available, or if not then WPA at a minimum. Use of WEP is not recommended due to known vulnerabilities that can be cracked in a matter of minutes. For simplicity, WPA and WPA2 are referred to collectively as WPA in the remainder of this article.
Two of the improvements incorporated into WPA are dynamic keys per session and periodic key changes. Each client negotiates a key for the duration of its session with the access point, and then at defined time intervals a new key is created between the two. Even if it were possible to hack the key in an hour, changing the keys renders the key of no further value.
Using the Wireless Network to Monitor Itself
An early security hole (and one that you can drive a truck through) in wireless networks was the problem of "rogue" access points: essentially wireless access points deployed without authorization of the IT department and almost always without the best practices security measures implemented.
Using the wireless network itself, wireless access points can be programmed to scan the RF environment to search for access points that are not part of the official network. Using information obtained from the scanning process, the Wireless Control System (WCS) can alert administrators that a potential "rogue" AP is present in the network. When combined with wireless Location Services, it is even possible to map the location of the "rogue" and provide IT staff with a head start on mitigating the security hole.
Similarly, using known attack signatures, the wireless network can also monitor for known attack vectors, clients attempting access or other maliciousness against the wireless network. Such wireless Intrusion Prevention mechanisms are also an important step in protecting the wireless network.
The nature of wireless networking means that a hacker does not need to gain physical access to your building in order to "plug in" and get access to the network. Proximity is enough. However, putting the threat in perspective, this also means that physical proximity is required to attack a wireless network...it is not feasible to do so from afar. By following today's best practices for wireless network security, there are a few straightforward steps to securely lock-down your wireless network. Finally, if you are responsible for operating a wireless network, keep up to date on the latest tips and tricks people are using to side-step wireless security.
To learn more about wireless network security and the best practices, refer to this comprehensive Secure Wireless Design Guide. Additional information can also be found at the Wireless Network Security Website, including considerations for retail environments in order to comply with Payment Card Industry (PCI) regulations.