|
New practices in wireless
security
Advanced security solutions will help protect both wired and
wireless networks.
by Mitchell Ashley
Unlike external traffic entering a wired
network that is policed by firewall and intrusion-prevention
technologies, wireless LANs lack the equivalent physical control,
exposing information assets to a greater level of risk. Of
even more concern is the mobility of the devices connecting
to wireless LANs and the increased exposure this introduces
to the internal network.
The weak security of wired equivalent privacy
(WEP) has been well documented. Network administrators frequently
choose not to implement WEP’s shared key technology so
as not to give a false sense of security. Others choose to
implement WEP simply to increase the work factor required
to hack into the network.
Stronger security options for 802.11 WLAN
networks (Wi-Fi) are now available, and others will be offered
in the near future. The immediate cure to WEP’s ailments
is Wi-Fi protected access (WPA), which offers two configuration
options, one targeted at home users and smaller networks,
and the second designed for larger networks.
WPA preshared key (WPA-PSK) is best suited
for small businesses and home wireless networks. A shared
key, or password, is configured in the wireless access point
(WAP) and any wireless laptop or desktop devices. WPA-PSK
generates a unique key for each session between a wireless
client and the associated WAP. The unique key used in the
client-to-access-point communications makes reverse engineering
of the preshared key more difficult for would-be attackers.
WPA-PSK uses more advanced security techniques
to encrypt and monitor the message stream. While WPA-PSK still
uses the RC4 encryption standard used in WEP, it implements
temporal key integrity protocol (TKIP), which provides per-packet
key mixing, a message integrity check and a re-keying mechanism.
TKIP’s algorithms and method-integrity checking techniques
prevent the unwanted decryption of and tampering with packets
in the wireless message stream.
One pitfall of WPA-PSK is that the preshared
key is subject to dictionary attacks (guessing of commonly
used passwords). Good password-management techniques, such
as long passwords, and the mixing of alphanumeric characters
and punctuation marks are required to help reduce the chance
of a successful attack.
RADIUS FOR LARGER NETWORKS
Larger networks can use WPA 802.1X/EAP, or Radius, for implementing
WPA security. While more complicated to set up than WPA-PSK,
this method can leverage an existing network and directory
infrastructure to require a unique user ID and password for
each wireless user connecting to the WLAN.
Rather than relying on a predefined shared
key, WPA 802.1X/EAP employs a user ID and password to authenticate
each wireless device when it associates with a WAP. The credentials
supplied are validated against a Radius server or a directory
server (such as Windows Active Directory) supporting the Radius
protocol.
Once the device is authenticated, WPA 802.1X
produces a unique master key for that wireless device’s
session. TKIP is then used to distribute this key to the client.
The same encryption and message-integrity checking implemented
in WPA-PSK is used from this point forward.
Additional wireless security options will
be offered through the 802.11i standards efforts. 802.11i
will include implementation of TKIP, as well as advanced encryption
standards (AES). The stronger encryption offered by AES will
require WAP hardware upgrades due to the CPU-intensive nature
of AES.
Microsoft Windows is also doing its part
to support WPA in Windows XP. The upgrade is free to Windows
XP users and can be installed simply through Windows Update.
The Windows WPA patch is also beneficial in that prior to
connection it identifies to the end-user WAPs that do not
use adequate security settings.
Most WAPs now ship with WPA options or can
be easily upgraded in a matter of minutes over the Internet.
If you use a WAP that does not support WPA, either upgrade
it immediately or switch to equipment that does. Reconfigure
all of your access points at work and at home to use WPA.
There is no longer any reason to be using WEP, or even worse,
no security settings at all.
SECURITY RECOMMENDATIONS
A word to the wise, though: most WAPs still ship with no security
enabled, so be sure to configure the security settings on
all WAPs. Additional WAP security recommendations are:
Change the administrator password using good
password-management techniques.
Change the default service set identifier (SSID) to a non-descriptive
SSID, using the same good password-management techniques.
Disable broadcasting the SSID.
Limit the broadcasting range to the coverage area that is
actually needed.
Enable the onboard firewall if you are using a combination
router/WAP in home and small office situations.
Do not enable remote management of the WAP unless the device
has been adequately secured.
WPA, however, is not the final answer to security. The most
recent wave of worms, Trojans and viruses demonstrate how
vulnerable even wired network defenses are to attacks against
devices behind the firewall. Many of these attacks take advantage
of normal activities end-users perform, such as opening zipped
attachments, clicking on links or running executables disguised
as security patches.
Wireless devices have added risk because
they frequently connect to other networks. Wireless devices
commonly connect to Wi-Fi networks at the local coffee shop,
at the airport terminal, in hotel rooms and lobbies, at customer
and vendor locations, as well as at employees’ home networks.
This increased exposure means increased risk, but there are
some existing and emerging technologies that can significantly
reduce this exposure.
Personal firewalls only provide limited defenses
via explicit firewall policies that restrict access to the
device. These defenses can be misconfigured or rendered impotent
by the actions of unknowing end-users. Even centrally managed
personal firewalls have yet to prove their viability in quickly
adapting to new threats when managing a large number of devices.
A new focus on end-point security is now
emerging. End-point devices, wireless in particular, are considered
untrusted and must be subject to greater scrutiny prior to
connecting to the network. Each newly connected wireless device
should be quarantined and examined for evidence of being compromised,
as well as for compliance with network security policies,
before being allowed to access the network.
These policies should include requiring the
latest critical security patches and up-to-date antivirus
software, restricting file-sharing and peer-to-peer applications,
and enforcing operating system, browser and application security
settings. Devices should be re-examined regularly during the
session to ensure that actions during the session have not
opened the device to attack or allowed the device to act as
a launching pad for attacks against the rest of the network.
Existing technologies can be used to script
some of these security tests. Newly emerging products automate
the application of these policies when devices connect to
the network.
Consider the implications of solutions that
require client software installation or utilize less-desirable
ActiveX technologies. Easier-to-manage clientless solutions
are available that eliminate installation requirements and
minimize the staff resources needed for ongoing management.
Securing end-point devices limits exposure
to the rest of the network, just like securing WAPs with WPA
locks down access to the WLAN and ensures authorized access
only. Using both of these techniques increases the network
defenses of any wireless network implementation.
For more information from StillSecure:
www.rsleads.com/406cn-261
http://www.comnews.com/
|
