NIST puts together a plan for securing wireless LANs
- By William Jackson
- Sep 28, 2011
Wireless local-area networks are widely used in government to extend traditional LANs, but they can introduce new networking risks, the National Institute of Standards and Technology warns.
“Unfortunately, WLANs are typically less secure than their wired counterparts for several reasons, including the ease of access to the WLAN and the weak security configurations often used for WLANs (to favor convenience over security),” NIST says in newly released guidelines for securing wireless networks.
Draft Special Publication 800-153, “Guidelines for Securing Wireless Local Area Networks” provides recommendations for improving the security configuration and monitoring of wireless networks and the devices connecting to them.
4 threats to wireless security
The document focuses on the most commonly used type of WLAN, based on the IEEE 802.11 family of WiFi standards.
WiFi security concerns are nothing new. In 2002, NIST famously pronounced that wireless access points are “the logical equivalent of an Ethernet port in the parking lot.” The principal caveat offered by NIST then still applies: All the vulnerabilities found in conventional wired networks also can be found in wireless technologies, along with a host of others associated with radio communications and mobile clients.
WiFi security has evolved since approval of the initial 802.11 standard in 1997. Wired Equivalent Privacy was added and then replaced when flaws were found. Eventually Wi-Fi Protected Access was adopted, and in 2004 WPA2 was introduced with interoperability with the 802.11i security standard. In 2009, the 802.11w-2009 standard was ratified, increasing security with additional encryption security features to help prevent denial-of-service attacks against WLANs.
SP 800-153 is part of a suite of NIST wireless security publications. It complements but does not replace SP 800-97, “Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i,” released in 2007, or SP 800-48 revision 1, “A Guide to Security Legacy 802.11 Wireless Networks,” revised in 2008. The new publication consolidates and strengthens recommendations made in the earlier documents and, while it does not replace them, it does take precedence when recommendations conflict.
SP 800-153 emphasizes the importance of having a standardized WLAN security configuration built into the wireless network from the beginning of the design phase and maintained throughout the life cycle, and the need for continuous security monitoring of the network, along with periodic assessments.
Basic security guidelines offered include:
- Have standardized security configurations for common WLAN components, such as client devices and access points, to provide a base level of security and reduce the time and effort needed to secure components as they are added.
- Consider the security not only of the WLAN itself, but also how it might affect the security of other networks to which it is connected. An organization also should have separate WLANs if there is more than one security profile for WLAN use.
- Have policies for what kinds of dual connections are permitted or prohibited for WLAN client devices, and enforce these policies through the appropriate security controls. “Dual connected” generally refers to a client device that is connected to both a wired network and a WLAN at the same time, creating a vector for exploits to both networks.
- Ensure that configurations for the client devices and access points are compliant with WLAN policies. Organizations should standardize, automate and centralize as much of their WLAN security configuration implementation and maintenance as practical.
- Use both attack monitoring and vulnerability monitoring to support WLAN security. Security monitoring is important for all systems and networks, but it is generally even more important for WLANs because of the increased risks that they face.
- Conduct regular periodic technical security assessments for the organization’s WLANs. Assessments of overall security should be performed at least annually, and periodic assessments should be done at least quarterly if continuous monitoring is not collecting all of the necessary information about WLAN attacks and vulnerabilities.
Comments on draft SP 800-153 should be sent by Oct. 28 to firstname.lastname@example.org, with "Comments SP 800-153" in the subject line.
William Jackson is freelance writer and the author of the CyberEye blog.