Plugging holes in your wireless LAN

As today’s companies extend their wireless capabilities across their entire enterprise, several issues come to the forefront, not the least of which is the security of their proprietary data. Despite the complexity of the problem, an enterprise can undertake some relatively simple measures to thwart hackers and maintain the integrity of their wireless network.

1. Avoid factory-default SSIDs.

Wireless LAN “war drivers” regularly canvass business areas armed only with sniffing equipment and other tools that are readily available on the Internet. But the practice of “war chalking” takes this concept to another level by using physical demarcations to expose the existence of access points, thus exploiting them not only for their own use, but publicizing holes for others as well. One means of avoiding these types of attacks is to avoid advertising your WLAN’s very existence. Discovery of the WLAN itself is the first step to a successful hack, but there are several measures that can be taken to make life difficult for the casual hacker. The first of these involves the SSID’s factory default. Every access point and all devices attempting to connect to a specific WLAN must use the same SSID. Because an SSID can be sniffed in plain text from a packet, it should be changed from the factory default so as to avoid easy detection.

2. Deploy device-independent authentication.

Many companies rely on device authentication to protect their WLAN from intruders, but this approach proves problematic on several fronts. Not only does a lost or stolen device represent a severe threat to the integrity of the WLAN, but laptops are also relatively easy to dupe. Reliance on device-independent authentication, such as user names and passwords, begins to address this problem by focusing on the user not the device. But the optimal solution involves the use of RSA SecurID token deployments. RSA SecurID authenticator requires users to identify themselves with two unique factors before they are granted access. With a constantly changing RSA SecurID authenticator generating a new, unpredictable code every 60 seconds, tokens add a layer of security that passwords alone simply cannot provide.

3. Use VPN technologies such as IPsec with 3DES to protect data.

Authentication techniques used in wireless LANs have traditionally been based on WEP shared key authentication. Unfortunately, WEP has proved to be weak and easily circumvented, with WEP cracking tools readily available. To improve the security provided by WEP, many access point vendors have introduced mechanisms for dynamically assigning WEP keys to clients when they start communicating with an access point. These dynamic WEP solutions eliminate the need for distributing and managing a global WEP key at every client. Though it makes the hacker’s task more difficult, recent studies have shown that dynamic WEP can still be broken within a few minutes. VPN technologies such as IPsec with 3DES can protect data by ensuring that users authenticate to the network, that the user's credentials are made available to all access points in the environment, that appropriate access control policies are enforced throughout the wireless network, and that encryption is efficiently implemented to protect enterprise data.

4. Limit or control where WLAN traffic can go.

After determining who is allowed on the network, the next issue involves controlling a user’s capabilities once there. Clearly, most enterprises will see a need to restrict access to certain servers or limit guests mobility on the WLAN. Firewalls normally restrict access to the network itself by implementing packet filters on routers to inspect IP addresses as a means of determining authorized users. But if the WLAN is to be used for a selected purpose, then specific packet filters designed to allow only that access should be placed on the WLAN.

5. Move security from access points to a wiring closet.

Access points are situated for ideal throughput and coverage, and as a result are often positioned in an open setting where they are exposed. Unscrupulous visitors and careless employees can easily move, replace or reset them with alarming ease. When also considering the fact that many vendors are equipping the access points themselves with security measures, it is important to ensure the integrity of your WLAN’s security by splitting out security from the physical access points. Treat your security solution as you would the rest of your sensitive IT equipment--with storage in a secured wiring closet.

6. Actively monitor access point configurations.

It is not sufficient to just configure an access point. Consider how easy it is for someone to perform a hardware reset on an access point, and then consider the damage that a misconfigured point can wreak on the WLAN. Security measures can be completely counteracted when misconfigured points inadvertently broadcast the WLAN’s location to hackers. Monitoring software that constantly sends queries to determine any configuration anomalies is the answer. By actively monitoring the AP configuration, you can ensure that the AP is automatically reconfigured should such an event occur.

7. Use monitoring software for rogue WLAN detection.

Today’s employees are more than capable of creating a rogue WLAN, whether well intentioned or not, inside a business. Because this can result in the entire WLAN’ s security being impugned, active sniffing for these rogue devices is a critical operational requirement. New software tools to ease this task are now readily available and can detect all the known devices on the network, and differentiate them from foreign wireless devices.

8. Take steps to secure client devices.

Over a WLAN, an intruder can attack wireless clients themselves in a peer-to-peer fashion. This attack can give the intruder what appears to be legitimate network access by simply using a client as an accepted entry point. To address this issue, desktop firewalls should be deployed, along with network management tools that actively audit and manage the client before permitting access via the WLAN.

9. Police bandwidth for fair access and attack prevention.

Wireless access points have low bandwidth capabilities and are shared by multiple users. This scenario allows intruders to simply blast traffic over the wireless link to prevent additional traffic with what are known as denial-of-service attacks. But even legitimate users can unintentionally hog bandwidth in the course of their everyday responsibilities. Particularly in environments in which different users need to perform different mission-critical tasks, bandwidth must be policed to provide fair access. As part of the packet filtering solution, a good solution installs software that controls traffic by slowing large downloads in addition to a wide variety of other measures.

10. Deploy real-time policy management.

As they are deployed, wireless LANs will span entire campuses and incorporate multiple global sites. Security policy changes (e.g. valid user lists, access rights, etc.) will naturally change. These changes must be reflected in real-time throughout the WLAN to reduce the window of opportunity for intrusion and, more importantly, provide immediate lock-down of detected security holes.

Sandeep Singhal is co-founder and chief technical officer of Reefedge Technologies.