How to secure your 'Ethernet port in the parking lot'
- By William Jackson
- Feb 22, 2012
In 2002, the National Institute of Standards and Technology famously pronounced that wireless access points were “the logical equivalent of an Ethernet port in the parking lot.”
Ten years, later that caveat still applies in NIST’s guidance for securing wireless networks: All the vulnerabilities found in conventional wired networks also can be found in wireless technologies, along with a host of others associated with radio communications and mobile clients.
Special Publication (SP) 800-153, Guidelines for Securing Wireless Local Area Networks, provides recommendations for improving the security configuration and monitoring of their IEEE 802.11 wireless local area networks (WLANs) and their devices connecting to those networks.
Wireless networks still vulnerable to intruders
“Unfortunately, WLANs are typically less secure than their wired counterparts for several reasons, including the ease of access to the WLAN and the weak security configurations often used for WLANs (to favor convenience over security),” the publication says.
Recommendations for improving security include standardized configurations and security assessments, and continuous monitoring.
The document focuses on the most commonly used type of WLAN, based on the IEEE 802.11 family of WiFi standards. Wi-Fi security has evolved since approval of the initial 802.11 standard in 1997. Wired Equivalent Privacy (WEP) was added and then replaced when flaws were found. Eventually Wi-Fi Protected Access was adopted, and in 2004 WPA2 was introduced with interoperability with the 802.11i security standard.
In 2009, the 802.11w-2009 standard was ratified, increasing security with additional encryption security features to help prevent denial-of-service attacks against WLANs.
But the levels of security in WiFi implementations depend on the configuration of the platform and the ability to monitor, maintain and manage both clients and access points. The latest publication consolidates and strengthens recommendations made in earlier documents, including SP 800-97, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, released in 2007, and SP 800-48 Revision 1, A Guide to Security Legacy 802.11 Wireless Networks, revised in 2008.
SP-153 does not replace the earlier publications but it does take precedence when recommendations conflict.
Basic security recommendations include:
Have standardized security configurations for common WLAN components, such as client devices and access points, to provide a base level of security and reduce the time and effort needed to secure components as they are added.
Consider the security not only of the WLAN itself, but also how it might affect the security of other networks to which it is connected. An organization also should have separate WLANs if there is more than one security profile for WLAN use.
Have policies for the kinds of dual connections that are permitted or prohibited for WLAN client devices, and enforce these policies through the appropriate security controls. “Dual connected” generally refers to a client device that is connected to both a wired and wireless networks at the same time, which can create a vector for exploits to multiple networks.
Ensure that configurations for client devices and access points are compliant with WLAN policies. Organizations should standardize, automate, and centralize as much of their WLAN security configuration implementation and maintenance as practical.
Use both attack monitoring and vulnerability monitoring of the WLAN. The same types of vulnerability monitoring should be done for WLAN components as for any other software: Identify and apply patches, and verify security configuration settings and adjust them as needed.
Conduct regular periodic technical security assessments for WLANs. Assessments of overall security should be performed at least annually and periodic assessments should be done at least quarterly if continuous monitoring is not collecting all of the necessary information about WLAN attacks and vulnerabilities.
William Jackson is freelance writer and the author of the CyberEye blog.