As with solving any puzzle, the best way to start looking at wireless security is with a systematic approach for addressing the problem.
There’s something in the air, but how do you keep it out of your wireless network? Do you even know what it is? It could be something as harmless as interference from a neighboring wireless LAN, or it could be something as dangerous as a war-driving attack. Can you tell the difference?
With the arrival of new wireless encryption protocols, such as WPA and 802.11i, network managers are worrying less about security and more about other issues like capacity, coverage, and radio interference. Unfortunately, this shifting focus is putting their companies at risk.
WLAN growth is clearly driven by the fact that security has indeed improved. The nightmare era of WEP is over, but enterprises are still addressing WLANs as if they were simply LAN extensions. They are not, and security policies must evolve to reflect that.
In a large enterprise, even wired LANs are no longer protected by traditional security methods. Users with laptops leave the enterprise and take those laptops with them as they travel, connecting at home, in hotels, at conferences, at customer sites, and in airport lounges–before returning to the corporate network and bringing with them any viruses or worms they may have picked up outside.
Traditional perimeter security solutions enforce a boundary between the trusted internal network and the untrusted public one. However, the public network with its viruses, Trojans, and worms can enter the network through the backdoor, ushered in by a “trusted,” verified insider, or even by a guest granted limited access.
If encryption is only one piece of the wireless-security puzzle, what then does the rest of the puzzle look like? As with solving any puzzle, the best way to start is with a systematic approach for addressing the problem. Security is a process, and there are five basic steps that can be followed to ensure robust mobile security.
Steps 1 & 2: authentication and encryption
The first two steps towards secure mobility, authentication and encryption, are rolled together here because most enterprise-class WLANs have already addressed them. Users must log into networks and be authenticated in order to get access. Once on the network, their traffic over the air is encrypted to protect it from the eyes of would-be eavesdroppers. Now that the nightmare days of WEP are behind us, there are plenty of good encryption and authentication standards to use, including WPA, 802.11i (WPA2) , AES, and EAP.
So far, so good. However, authentication and encryption are where most enterprises stop. Unfortunately, this is just the bare minimum. Outsiders can still enter the network through physical-layer attacks. Users often employ weak passwords, and many WLANs are deployed with encryption turned off.
Network administrators also have little to no control over what devices enter WLANs. The increasing diversity of client devices throws a kink in the enforcement and authentication game. Unlike in the wired world, today’s wireless networks must support a heterogeneous, mixed-device world where appropriate encryption and authentication schemes may vary from device to device–meaning that a one-size-fits-all policy will not suffice. What enterprise-grade WLANs need is a fine-grained approach to user policies.
Step 3: policy enforcement
Before enforcing policies, you must first establish them. An enterprise-grade policy solution should factor in policies for individual users, groups, and specific roles. With proper policies in place, certain users, say a CEO, would receive higher QoS and bandwidth priority over other users like guests. More sophisticated policy schemes can enable location- or VLAN-based policies.
Additionally, considering that most enterprises have spent a great deal of time building LDAP and Active Directory databases, an enterprise-grade WLAN policy engine should facilitate the application of these existing policies on the wireless network.
Once policies are in place then it becomes a matter of enforcement, which is where many of the new enterprise WLAN solutions fall short. Consider a user who takes a laptop out of the building, visits a public network in a coffee shop, forgets to update virus signatures, and returns to the enterprise with a worm.
An enterprise WLAN policy engine could do two things to head off a network-wide problem: first, it could enforce a rule that says any device entering the network must undergo a vulnerability assessment before being granted entry (more on this below); second, it could simply monitor a user’s TCP connections. If a policy dictates that each user is allowed 15 TCP connections when a worm tries to set up hundreds of TCP connections, the WLAN security system will notice this. With proper policy enforcement, the user will be put in quarantine and the worm will be curtailed before it has a chance to infect the entire network.
Step 4: protecting against worms and viruses at the network level
Since users come into the enterprise through multiple points of entry and with multiple roles, including guests and partners, desktop-based protection is not enough. Not only is it difficult to enforce, but there is also the problem of applying policies to guests, outsiders, and mobile users.
Traditional virus and worm protection relies on clients. What happens, though, when a PDA with an infected file is attached to the network? Not all PDAs have virus monitoring solutions on them–nor do mobile phones, scanners and cameras–yet all are entering corporate networks. With so many different clients entering the network, what is needed is client-less, or network-based, protection.
In essence, network-based virus and worm protection is simply an extension of policy enforcement. Once a policy is allocated, it must be enforced, and this requires monitoring based on user behavior to identify roles and do such things as enabling dynamic bandwidth allocation based on those roles.
Once user-behavior monitoring is in place at the basic policy level, it can then be extended so that unusual activities and traffic anomalies trigger a security response. Thus, back-door worms are headed off before they can propagate.
Another means for protecting the network is to validate the devices coming into the network. The monitoring solution should look at the device itself, checking to see what ports are enabled and doing a quick scan for the most prevalent worms and viruses. Only after an automatic vulnerability assessment is run and after it has been ensured that machines are in step with security policies are devices permitted into the network.
Step 5: monitoring the air itself
In a wired network, there is a degree of security provided by the mere fact that traffic must traverse wires. In the wireless world, this is not the case, and network administrators are faced with the daunting task of defending the air itself.
In a traditional AP-only network this is nearly impossible to do. Even with new switch-based architectures that use the same APs as air monitors, monitoring comes with a steep price: performance degradation. However, there is a third way. By deploying an overlay RF monitoring network, network managers have a real-time, 24/7 view of the airwaves.
Rogue access points (and Rogue clients as well) represent one of the new threats that WLANs must deal with, a threat that wired networks needn’t worry about. Off-the-shelf access points are becoming so cheap that any tech-savvy employee or motivated outsider can tap into an unsecured WLAN cheaply. Even well-meaning employees who simply want access in an area not currently covered can open a huge hole into the network.
With RF monitoring in place, a rogue AP shows up as an anomaly, and can either be physically tracked down, or can actually be shut down or disabled and denied network access. But it’s not just rogues that cause network administrators to lose sleep. Neighboring WLANs pose a problem, as do war drivers, DoS attacks, and others. Ongoing, real-time RF monitoring ensures that the network remains as configured and only verified users are permitted to enter it.
The benefits of WLANs are obvious, so simply turning your back on wireless is not a wise security choice. WLANs enhance internal communications, boost productivity, enhance employee satisfaction, and benefit the bottom line. However, because these new networks are indeed wireless, they don’t have the luxury of relying on end-point protections that wired networks have.
Since wireless signals are beamed in every direction, traveling through building walls and across business boundaries, anyone within range of a given WLAN access point can easily intercept packets, and by using cracking tools readily available on the Internet, they can gain access to confidential information and compromise your network.
For true secure mobility, enterprises must adopt solutions that secure the air itself. Relying on authentication, encryption, and old-fashioned perimeter security leaves wireless networks vulnerable to new threats. Only a multi-layered security solution with strong policy enforcement and RF monitoring ensures that your network remains secure–without sacrificing user mobility.
Rohit Mehra is director of product management at Bluesocket Inc. of Burlington, Mass., a developer of wireless LAN management and security products.