Let me start off by saying that there is absolutely no way achieve total security in a WLAN. By deploying a WLAN in a network, you are increasing your security risks over a purely wired network. However, there are ways that you can mitigate those risks as much as possible, as I will discuss in this article, and still enjoy the productivity gains and flexibility which wireless networks afford over wired networks.
Throughout this article, I will be referencing Cisco’s SAFE, a flexible, dynamic blueprint for security and VPN networks. Based on the Cisco Architecture for Voice, Video and Integrated Data (AVVID), SAFE enables businesses to securely and successfully take advantage of e-business economies and compete in the Internet economy.
Wireless Networks are Targets
Wireless networks have become one of the most interesting targets for hackers today. One thing to note is that WLAN devices ship with all security features disabled, making WLANs “attractive” to hackers. To make matters worse, there are Web sites which have started documenting all the freely available wireless connections available publicly.
Although most hackers are using these connections as a means to get free Internet access or to hide their identity, a smaller group sees this situation as an opportunity to break into networks that otherwise might have been difficult to attack from the Internet because unlike a wired network, wireless networks send data over the air and usually extend beyond the physical boundary of an organization. In particular, when strong directional antennas are used, a WLAN can reach well outside the buildings that it is designed for. This scenario creates an environment where traditional physical security controls are ineffective because the packets can be viewed by anyone within radio frequency range.
Ad Hoc versus Infrastructure Modes
Most WLANs deployed by organizations operate in a mode called “infrastructure”. In this mode, all wireless clients connect through an Access Point (AP) for all communications. You can, however, deploy WLAN technology in a way that forms an independent peer-to-peer network, which is more commonly called an “ad hoc” WLAN. In an ad hoc WLAN, laptop or desktop computers that are equipped with compatible WLAN adapters and are within range of one another can share files directly, without the use of an AP. The range varies, depending on the type of WLAN system. Laptop and desktop computers equipped with 802.11b WLAN cards can create ad hoc networks if they are within at least 500 feet of one another.
The security impact of ad hoc WLANs is significant. Many wireless cards, including some shipped as a default item by PC manufacturers, ship with ad hoc mode enabled by default. Any hacker who also is also configured for ad hoc mode is immediately connected to PCs using these cards and could attempt to gain unauthorized access. There are some base level recommendations that every WLAN device should follow. At a minimum, the following should be done:
Access Point security recommendations:
Client adapter card security recommendations:
- Enable user authentication for the management interface.
- Choose strong community strings for Simple Network Management Protocol (SNMP) and change them often.
- Consider using SNMP Read Only if your management infrastructure allows it.
- Disable any insecure and nonessential management protocol provided by the manufacturer.
- Limit management traffic to a dedicated wired subnet.
- Encrypt all management traffic where possible.
- Enable wireless frame encryption where available.
- Disable ad hoc mode.
- Enable wireless frame encryption where available.
Security Policies and Procedures
Whether or not you are designing security for wireless or wired networks, it is always advisable to have a security policy in place. It is recommended that an organization have a complete wireless network policy in addition to its overall security policy. This wireless policy should, at a minimum, disallow the connection of non-IT supported APs into the network. On the procedures side, the IT department needs to conduct regular scans of its office space to check for rogue APs. This includes both physical searches and wireless scans. Several vendors offer tools designed to discover the presence of the wireless APs in a certain area.
In the hands of a determined hacker, a rogue AP can be a valuable asset in the attempted compromise of network resources. The principal threat is installing an AP into a network after gaining unauthorized access to a building. The user typically gains access to the building by “tailgating” behind a user with a valid access badge or by obtaining a guest badge for some other reason. Because APs are relatively small and can be purchased at many electronics outlets worldwide, it is easy for the hacker not only to obtain the AP but also to install it discreetly. Attaching the AP to the underside of a conference-room table and plugging into the live network allows the hacker to break into a network from the relative security of his car in the parking lot.
From an implementation perspective, many Ethernet switches today offer the ability to limit access to a particular port based on the MAC address of the connecting client. These controls could be set up to learn the first MAC address to connect to a port and then prevent any subsequent MAC addresses to connect. The controls could also be configured in a manner to prevent more than a fixed number of MAC addresses to connect. Both of these features can help with the rogue AP problem, but remember that their use involves a significant administrative penalty.
Managing the MAC address tables in a large enterprise could become a full-time job by itself. Also remember that with a conference room it is difficult to know what different systems will connect to a given network port. Because a conference room is a likely target of a hacker with a rogue AP, it may be useful to disable wired network access from all conference rooms. After all, providing wireless access to the network from conference rooms is one of the main reasons organizations choose to deploy wireless LAN technology today.
This article is not meant to be an exhaustive approach to WLAN security. There are inherent security risks in WLAN deployments especially with the currently available methods available on 802.11b. Following some of the guidelines that I’ve outlined in this article will help mitigate many of the security risks. In addition, a group of companies led by Cisco Systems and Microsoft, is working on a new standard for WLAN security called 802.11i, which is based on LEAP, Cisco’s proprietary security mechanism on its WLAN products.
The IEEE 802.11b standard includes components for ensuring access control and privacy, but these components must be deployed on every device in a wireless LAN. The two mechanisms for providing access control and privacy on wireless LANs: service set identifiers (SSIDs) and wired equivalent privacy (WEP).
Hackers being hackers however will always find a way past the best defences and the only way to stay safe is to keep one step ahead of them. Properly architected, you can ensure a strong level security on your wireless network yet reap the productivity and flexibility benefits that such networks afford.
Fredy Cheung is Director of Core Technologies, Asia Pacific, Cisco Systems
SAFE wireless addresses the general concerns of WLAN security as mentioned earlier. This design section integrates those concerns and mitigation techniques to a variety of different networks. The size and security concerns of the specific design dictate the mitigation techniques that are applied to a WLAN design. Therefore, the network designer is offered a choice of the mitigation technology to implement along with the advantages and disadvantages of the technologies specific to the SAFE design. The mitigation technologies are consistent across all the SAFE designs, so a review of the networking elements of each of the two main technology choices is presented first. After reviewing the technologies, the network designer is presented with each SAFE design, along with the advantages/disadvantages of implementing the specific mitigation technologies within SAFE. Any unique characteristics of implementing a mitigation technology within the SAFE designs is also presented.
The two main design choices follow:
- Implementing a dynamic WEP keying model using EAP and 802.1X, called LEAP
- Implementing an overlay VPN network using IPSec
Standard LEAP WLAN Design
This design details a generic method for using LEAP as a security mechanism to access the production corporate network.
Key LEAP Devices
- Wireless client adapter and software—A software solution that provides the hardware and software necessary for wireless communications to the AP; it provides mutual authentication to the AP via LEAP
- Wireless access point—Mutually authenticates wireless clients via LEAP
- Layer 2/3 switch—Provides Ethernet connectivity and Layer 3/4 filtering between the WLAN AP and the corporate network
- RADIUS server—Delivers user-based authentication for wireless clients and access-point authentication to the wireless clients
- DHCP server—Delivers IP configuration information for wireless LEAP clients
- Wireless packet sniffers—Wireless packet sniffers can take advantage of any of the known WEP attacks to derive the encryption key. These threats are mitigated by WEP enhancements (see "Security Improvements Are Required" axiom), and key rotation using LEAP.
- Unauthenticated access—Only authenticated users are able to access the wireless and wired network. Optional access control on the Layer 3 switch limits wired network access.
- Man in the middle—The mutual authentication nature of LEAP combined with the MIC prevents a hacker from inserting itself in the path of wireless communications.
- IP spoofing—Hackers cannot perform IP spoofing without first authenticating to the WLAN, after authenticating optional RFC 2827 filtering on the Layer 3 switch restricts any spoofing to the local subnet range.
- ARP spoofing—Hackers cannot perform ARP spoofing without first authenticating to the WLAN, after authenticating ARP spoofing attacks can be launched in the same manner as in a wired environment to intercept other user's data.
- Network topology discovery—Hackers cannot perform network discovery if they are unable to authenticate. When authenticated via LEAP, standard topology discovery can occur in the same way that is possible in the wired network.
Threats Not Mitigated
- Password attack—Because LEAP does not support one-time passwords (OTPs), the user-authentication process is susceptible to password attacks. The threat can be mitigated by auditing selected passwords for weakness and adhering to a good password usage policy that limits the number of tries for a password before locking out the account.
LEAP Design Guidelines
In most cases, WLAN access points are connected to existing Layer 2 access switches. RADIUS and DHCP servers are located in the server module of the corporate network. Security in the design is maintained by preventing network access in the event of a RADIUS service failure. Since most of the mitigation against security risks relies on the RADIUS service, this behavior is required. Overall, management of the solution is hindered if DHCP services fail.
The wireless clients and APs use LEAP to authenticate the WLAN client devices and end users against the RADIUS servers. Note that because the LEAP process does not presently support OTP (new versions of LEAP will support OTP), a significant security hole is introduced into the network because attackers can attempt to brute force the LEAP authentication process. Be sure to require (and check) that users choose strong passwords and set account lockouts after a small number of incorrect login attempts. This configuration can be made at the RADIUS server.
For scalability and manageability purposes, the WLAN client devices are configured to use the DHCP protocol for IP configuration. DHCP occurs after the device and end user are successfully authenticated via LEAP. After successful DHCP configuration, the wireless end user is allowed access to the corporate network. Filtering in place at the first Layer 3 switch prevents the wireless network from accessing portions of the wired network as dictated by an organization's security policy. In SAFE, for example, filtering was put in place to prevent wireless access to any department servers, voice networks, or other user networks. Network designers should give special consideration to the location of the RADIUS and DHCP servers used by LEAP.
Standard VPN WLAN Design
This design details a generic method for using IPSec VPNs as an overlay security mechanism to access the production corporate network from a WLAN.
Key VPN Devices
- Wireless client adapter and software—A software solution that provides the hardware and software necessary for wireless communications to the AP
- Remote-access VPN client with personal firewall software—A software client that provides end-to-end encrypted tunnels between individual PCs and the corporate wireless VPN gateways; personal firewall software provides device-level protection for individual PCs
- Wireless access point—Provides initial IP protocol filtering between the WLAN and corporate network
- Layer 2 switch—Provides Ethernet connectivity between the WLAN APs and the corporate network
- Layer 3 switch—Routes and switches production network data from one module to another; provides additional policy enforcement via protocol level filtering for wireless traffic
- RADIUS server—Authenticates wireless users terminating on the VPN gateway, optionally talks to an OTP server
- OTP server—Authorizes one-time password information relayed from the RADIUS server
- DHCP server—Delivers IP configuration information for wireless VPN clients before and after VPN establishment
- VPN gateway—Authenticates individual remote users and terminates their IPSec tunnels
- Wireless packet sniffers—These threats are mitigated by IPSec encryption of wireless client traffic.
- Man in the middle—These threats are mitigated by IPSec encryption of wireless client traffic.
- Unauthorized access—The only known protocols for initial IP configuration (DHCP) and VPN access (DNS, Internet Key Exchange [IKE], and Encapsulating Security Payload [ESP]) are allowed from the WLAN to the corporate network through filtering at the AP and Layer 3 switch. Authorization policies can be optionally enforced on the VPN gateway for individual user groups.
- IP spoofing—Hackers can spoof traffic on the wireless LAN, but only valid, authenticated IPSec packets will ever reach the production wired network.
- ARP spoofing—ARP spoofing attacks can be launched however data is encrypted to the VPN gateway so hackers will be unable to read the data.
- Password attacks—These threats are mitigated through good password policies and auditing and optionally, OTP.
- Network topology discovery—Only IKE, ESP, DNS, and DHCP are allowed from this segment into the corporate network.
Threats Not Mitigated
- MAC/IP spoofing from unauthenticated users—ARP spoofing and IP spoofing are still effective on the WLAN subnet until the wireless client uses IPSec to secure the connection.
Standard VPN WLAN Design Guidelines
WLAN APs connect to Layer 2 switches in the building module layer on a dedicated VLAN and forward traffic from the WLAN to the wired LAN using IPSec to protect the flows until they reach the wired network. It is important to point out that WEP is not enabled in this design. The wireless network itself is considered an untrusted network, suitable only as a transit network for IPSec traffic.
In order to isolate this untrusted network, administrators should not mix the VLAN for the WLAN users with a wired network. This configuration would allow hackers on the wireless network to potentially attack users on the wired network. The WLAN clients associate with a wireless AP to establish connectivity to the campus network at Layer 2.
The wireless clients then use DHCP and DNS services in the server module to establish connectivity to the campus at Layer 3. It should be noted that when the wireless client is communicating with the campus network, but before the IPSec tunnel is established, the client traffic is not considered secure. All the noted WLAN security issues are still present until the wireless client can secure communications with an IPSec VPN.
Therefore, two mitigation techniques are recommended:
First, the AP should be configured with ethertype, protocol, and port filters based on a company's wireless usage policy. SAFE WLAN recommends restrictive filters that allow only the necessary protocols required for establishing a secure tunnel to a VPN gateway. These protocols include DHCP for initial client configuration, DNS for name resolution of the VPN gateways,and the VPN-specific protocols, IKE (UDP port 500) and ESP (IP Protocol 50). The DNS traffic is optional, dependent on whether the VPN client needs to be configured with a DNS name for the VPN gateway or if only an IP address is suitable.
Secondly, personal firewall software is included on the wireless client to protect the client while it is connected to the untrusted WLAN network without the protection of IPSec. In general terms, the VPN gateway delineates between the trusted wired network and the untrusted WLAN. The wireless client establishes a VPN connection to the VPN gateway to start secure communication to the corporate network. In the process of doing so, the VPN gateway provides device and user authentication via the IPSec VPN.
Even with this filtering, the DNS and DHCP servers are still open to direct attack on the application protocols themselves. Extra care should be taken to ensure that these systems are as secure as possible at the host level. This includes keeping them up-to-date with the latest OS and application patches and running a host-based intrusion-detection system (HIDS).
The VPN gateway can use digital certificates or preshared keys for wireless device authentication. The VPN gateway then takes advantage of OTPs to authenticate users to it. Without OTP, the VPN gateways are open to brute-force login attempts by hackers who have obtained the shared IPSec key used by the VPN gateway. The VPN gateway takes advantage of RADIUS services, which in turn contact the OTP server for user authentication. The VPN gateway uses DHCP for IP address configuration in order for the WLAN client to communicate through the VPN tunnel. Security in the design is maintained by preventing network access if a VPN gateway or RADIUS service fails. Both services are required in order for the client to reach the wired network with production traffic.
Network designers may still consider enabling static WEP keys on all devices in an effort to add an additional deterrent against hackers. Although enhancements to WEP such as the MIC and WEP key hashing provide effective risk mitigation to currently identified WEP vulnerabilities, the management overhead of dealing with static key changes makes this alternative less than ideal for large WLAN deployments. This management overhead could be mitigated by never changing the static WEP key, but this solution falls strongly into the “security-through-obscurity” category.
To further secure the DNS and DHCP services, network designers should consider using dedicated hosts for the VPN WLAN DHCP and DNS deployment.
This mitigates against two potential threats that could affect wired resources:
- DoS attacks against the DHCP and DNS services which could affect wired users
- Network reconnaissance through the use of DNS queries or reverse-lookups
As an alternative to dedicated DNS servers, designers may consider hard-coding the IP address of the VPN gateway for the VPN clients. The drawback of this solution is if the IP address of the VPN gateway changes, every client will need to update his gateway entry.