Clip and save: Tips for a secure WLAN

Deploying a secure wireless LAN involves more than securing the wireless link between the client and the access point. Ultimately, it involves the entire network infrastructure.

The National Institute of Standards and Technology warned in SP 800-48, Wireless Network Security, 'maintaining a secure wireless network is an ongoing process that requires greater effort than that required for other networks and systems.' Including wireless in the network mix means risk assessments should be done more frequently and security controls should be continuously evaluated, NIST said. The agency expects to refresh its wireless security guidance later this year.

The Defense Department, in its draft Wireless LAN Security Framework, noted that security must be designed into the wireless LAN. The final DOD Security Technical Implementation Guide will include requirements and recommendations for configuration and deployment, such as mutual authentication of both access points and end users, and strong encryption that meets government standards. Wireless clients will also have to be certified against Common Criteria protection profiles.

Step-by-step security

The end requirements for each agency will differ, but NIST has laid out the steps that must be taken to ensure that wireless networks are adequately secured. This begins with a risk assessment and a cost-benefit analysis to determine if wireless is feasible and desirable.

Agencies should pay attention to mitigating risks in physical security as well as in system security. This includes identification badging systems and physical access control.

Access points should be configured to ensure that only authorized administrators can access and manage them. Strong passwords should be used and management links should be encrypted as strongly as possible.

Physical site surveys are needed to determine where access points are needed and to ensure that the range of access points does not exceed what is necessary. Because eavesdropping cannot be completely prevented, encryption is recommended. Placing the WLAN outside of the firewall so all traffic can be passed through the firewall might also be a good idea.

Policy updates to address software upgrades, patch management and configuration management may be needed to boost the overall security posture of the network. Wireless intrusion detection can be a useful tool in a defense-in-depth strategy and will eventually be required for DOD WLANs.
NIST's recommendations for building a secure WLAN include:
    ADOPT a robust ID system for physical access control

    DISABLE file and directory sharing on PCs

    PROTECT sensitive files with passwords and encryption

    INVESTIGATE 802.11 products with the best security strategy and performance history

    USE products with Simple Network Management Protocol Version 3 or other encrypted management capabilities

    TURN OFF all unnecessary services on wireless access points

    TURN OFF power to access points when not in use, if possible

    TURN ON the logging capabilities of access points and review logs regularly

    CONFIGURE access points to require passwords for management, encrypt management links, use MAC Access Control Lists, change default keys and passwords, and disable remote SNMP

    CONDUCT a site survey and strategically place access points

    DEPLOY a virtual private network with a firewall between gateways and clients

    ESTABLISH comprehensive security policies on use of wireless devices

    USE personal firewalls and antivirus software on wireless clients

    GET expert help in conducting security assessments after deployment.

To read more of NIST's current recommendations for securing wireless networks, go to www.gcn.com and enter 457 in the GCN.com/box.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above