Clip and save: Tips for a secure WLAN
Deploying a secure wireless LAN involves more than securing the wireless link between the client and the access point. Ultimately, it involves the entire network infrastructure.
The National Institute of Standards and Technology warned in SP 800-48, Wireless Network Security, 'maintaining a secure wireless network is an ongoing process that requires greater effort than that required for other networks and systems.' Including wireless in the network mix means risk assessments should be done more frequently and security controls should be continuously evaluated, NIST said. The agency expects to refresh its wireless security guidance later this year.
The Defense Department, in its draft Wireless LAN Security Framework, noted that security must be designed into the wireless LAN. The final DOD Security Technical Implementation Guide will include requirements and recommendations for configuration and deployment, such as mutual authentication of both access points and end users, and strong encryption that meets government standards. Wireless clients will also have to be certified against Common Criteria protection profiles.Step-by-step security
The end requirements for each agency will differ, but NIST has laid out the steps that must be taken to ensure that wireless networks are adequately secured. This begins with a risk assessment and a cost-benefit analysis to determine if wireless is feasible and desirable.
Agencies should pay attention to mitigating risks in physical security as well as in system security. This includes identification badging systems and physical access control.
Access points should be configured to ensure that only authorized administrators can access and manage them. Strong passwords should be used and management links should be encrypted as strongly as possible.
Physical site surveys are needed to determine where access points are needed and to ensure that the range of access points does not exceed what is necessary. Because eavesdropping cannot be completely prevented, encryption is recommended. Placing the WLAN outside of the firewall so all traffic can be passed through the firewall might also be a good idea.
Policy updates to address software upgrades, patch management and configuration management may be needed to boost the overall security posture of the network. Wireless intrusion detection can be a useful tool in a defense-in-depth strategy and will eventually be required for DOD WLANs.
NIST's recommendations for building a secure WLAN include:
ADOPT a robust ID system for physical access control
DISABLE file and directory sharing on PCs
PROTECT sensitive files with passwords and encryption
INVESTIGATE 802.11 products with the best security strategy and performance history
USE products with Simple Network Management Protocol Version 3 or other encrypted management capabilities
TURN OFF all unnecessary services on wireless access points
TURN OFF power to access points when not in use, if possible
TURN ON the logging capabilities of access points and review logs regularly
CONFIGURE access points to require passwords for management, encrypt management links, use MAC Access Control Lists, change default keys and passwords, and disable remote SNMP
CONDUCT a site survey and strategically place access points
DEPLOY a virtual private network with a firewall between gateways and clients
ESTABLISH comprehensive security policies on use of wireless devices
USE personal firewalls and antivirus software on wireless clients
GET expert help in conducting security assessments after deployment.
To read more of NIST's current recommendations for securing wireless networks, go to www.gcn.com
and enter 457 in the GCN.com/box.