Wireless security by the numbers
Battening down a wireless LAN means keeping track of a lot of moving parts; here's how to get what you need
LOCKDOWN: BlueSocket controllers authenticate wireless users.
Cisco makes a variety of controllers and wireless access points.
Like other types of information technology, wireless networks offer a mix of benefits and security threats. While the potential threats are enough to make security officers cringe, the user benefits are enough to make them lay out their own cash to set up access. Like it or not, agencies had better be prepared to install and secure a wireless LAN or people will start looking to deploy one of their own.
'You are battling the fact that people can purchase and deploy a wireless network easily,' said Stan Gatewood, information security officer for the University of Georgia at Athens. 'They can go downtown and buy an access point for under $50.'
Then there's the matter of securing mobile devices that access a WLAN. Don Rhodes, a civilian IT specialist at Fort Dix, N.J., said soldiers coming to the base for training prior to deploying to the Middle East expect to use their personal computers for both work and sending an e-mail home to their parents. The choices are either strictly police users' computer habits or, as Rhodes is doing, make the WLAN itself secure.
'Even if you tell them not to, users are going to use their personal PCs to conduct government business,' Rhodes said. 'We would rather have a network that has some security on it rather than a wide-open system like we had before.'
Earlier this year, the Agriculture and Defense departments released directives on securing wireless LANs. Whether or not you work for those agencies, both documents provide a good overview of the steps anyone should take in procuring and deploying a secure wireless network.Common components
Securing a wired or a wireless network involves a mix of hardware, software, policies and training. In setting up a system, however, an agency needs to consider the end-to-end network and ensure that all pieces work together. For example, if different parts of the WLAN are operating on disparate encryption schemes, the network will default to the lowest standard.
'If you're using an older security standard such as WPA (Wireless Protected Access) or multimode security, you are only as secure as your weakest link,' said Peter Firstbrook, research director in information security and privacy for Gartner Inc. of Stamford, Conn.
Similarly, unless the agency is providing client hardware to all potential users, the WLAN must accommodate a wide variety of connecting devices without compromising security.
'Many solutions are vendor-specific to the client device and therefore are not protecting everything over a wide range of clients,' cautioned Sonny Gutierrez, LAN/WAN security specialist for CDW Government in Herndon, Va.
The wireless policies from DOD and USDA both take an end-to-end view of wireless networks. While the directives differ in specifics, they also address certain common areas that are applicable to securing any wireless network. These include:
Following standards. Wireless systems must comply with the IEEE 802.11 family of wireless standards.
Encryption. Data must be encrypted in transit. 802.11i is the IEEE standard and federal standards are covered under Federal Information Processing Standards 140-2 (FIPS-140-1 validation is no longer acceptable to DOD and USDA). Most wireless devices sold within the last year support these standards, but only if all components in the network are up to that standard.
Authentication. The wireless standard for authentication is 802.1x, which incorporates the Extensible Authentication Protocol, an authentication method that also works on Ethernet and Token Ring networks.
Interoperability. Not all equipment, even if built to the same standards, works together. The Wi-Fi Alliance tests and certifies equipment that meets 802.11 standards and interoperates. The Alliance classifies devices which meet both the 802.11i encryption standard and 801.1x authentication standard as being WPA2-certified. According to Michael Disabato, senior analyst for the Burton Group, 'WPA2 provides an enterprise-class security solution for user authentication and encryption.'
Client security. Notebook PCs or other devices accessing the WLAN should be running a personal firewall that meets National Information Assurance Partnership Common Criteria standards. Companies such as Zone Labs LLC and Symantec Corp. offer centrally managed personal firewalls and antivirus programs for mobile devices. These let administrators lock down security settings. The security server will also scan devices to ensure the firewall and AV signatures are up-to-date before allowing clients to connect to the network.
Wireless intrusion detection. Administrators must also be on the lookout for attempts at unauthorized access. In addition to the usual method of examining packets, sensors can be installed on a wireless network that detect mobile devices. One method is to set up a network of active or passive devices that detect RF frequencies and identify any unauthorized users.
Some wireless access points are designed to switch between providing access and listening for intruders. When an unauthorized user or access point is detected, the management software should be able to evaluate the device's signal strength and pinpoint its location on a CAD drawing of the premises.
Gartner's Firstbrook recommends using passive sensors. 'A passive sensor is harder for the attacker to identify,' he said. 'It gives you the ability to monitor them without triggering their defenses.' AirDefense Inc. of Alpharetta, Ga., has hardware that will direct a packet flood at a rogue device to knock it off the network.
Configuration management. Finally, no matter what hardware or software your agency installs, there is still a matter of correctly configuring the devices.
'The largest threat is misconfiguration or taking an access point out of the box and leaving the default settings in place,' said Alex Zaltsman, managing partner of Exigent Technologies LLC of Morristown, N.J. 'Default administrator passwords can be easily obtained by downloading a user manual and access points come with encryption disabled.'
The client devices also need to be configured so they only access the official network, not some other signal that might bleed over into the office from a neighbor.
'You don't want people jumping from WLAN to WLAN, you want them to be stuck to the WLAN you want them to use,' Firstbrook said. 'Unfortunately most of the WLAN drivers are very promiscuous; Microsoft will join any WLAN that is available.'Applying security principles
Although there are general guidelines to setting up a secure wireless LAN, each system still needs to be designed to meet the business and security needs of the particular organization. Just as in the wired world, networks vary in terms of openness, flexibility and secrecy. When it's time for your agency to build out its WLAN, consider the following examples to see which most closely matches your requirements.
WLAN 1: Maximum security: The Joint Forces Command's Joint Futures Lab in Suffolk, Va., set up a WLAN for mobile workers and guests in the three buildings on its campus. Users can access voice, video, data, Web sites and e-mail. The network has 130 access points and a 2-gigabit backbone supporting 802.11 a/b/g devices, and uses 802.16d wireless MAN (metropolitan area network) between buildings. The network employs a five-layer, defense-in-depth architecture and a wide array of security technologies, including Air Fortress encryption gateways from Fortress Technologies; Bluesocket wireless gateways and firewalls; AirDefense wireless IDS; virtual private networking over IPSec from Cisco Systems; and a wireless management platform from Airwave Wireless Inc. [for more, see GCN.com/676].
Planned enhancements include full disk encryption, a Layer 2 VPN, policy enforcement agents and end-point management. Jared Judy, wireless network engineer, said that one of the biggest challenges was 'getting vendors to play together for integration purposes so administrators don't have to bounce between three, four or five different console screens to be able to monitor and manage the system.'
WLAN 2: Public access network. The city of Burbank, Calif., last year set up a metropolitan wireless network covering its downtown areas. The square-mile hot spot uses ruggedized 802.11b/g access points from M-Gravity LLC of Torrance, Calif., which connect to a Proxim MP.11a system. A Bluesocket WG1100 wireless gateway controls bandwidth, session time limits and authentication. Internal security is tighter.
'The city of Burbank uses wireless capabilities to extend the reach of the local area network to buildings not connected via fiber optics,' said Perry Jarvis, the city's chief information security officer. 'We run many mission-critical applications over our citywide wireless bridge network and offer free WiFi in many locations.'
To protect the network, the city has multiple firewalls and intrusion detection/prevention appliances placed at key points around the network. 'The city uses many common security practices such as MAC [Media Access Control] filtering, encryption, hidden SSIDs [service set identifiers] and strong passwords to secure our wireless network,' Jarvis said.
WLAN 3: For work and play. Don Rhodes is setting up a dual-purpose wireless network at Fort Dix. Troops training at the base will be able to use personal computers for public Internet access, and base staff will be able to use it for official business.
'We are approaching the project from a security perspective as well as a business perspective, and I believe we have balanced both,' Rhodes said.
Currently the system is undergoing evaluation, testing and certification, so no official business is being conducted over it. In the meantime, however, there are hundreds of morale, welfare and recreation users. Both categories of users share the same access points, which cover dormitory day rooms and outside spaces and provide network access to devices in buildings not connected to the fiber network. The wireless traffic goes through an Aruba 5000 controller where it's then routed to separate virtual LANs.
'If you don't have FIPS encryption, the [Common Access Card] card and proper authentication, it won't let you onto the government network, it will send you to the Internet,' Rhodes said. Although it has not been approved yet, he feels it will meet the base's security needs. 'The Aruba controller gives us confidence that the traffic coming across our wired network is secure.'Do your homework
However your agency chooses to approach a wireless LAN, deploying the network involves balancing usability with the need to enforce security standards. It requires a complete analysis of the business needs and budget, as well as the technology to be used. See the accompanying checklist for questions you should ask when writing a request for wireless LAN proposals.
If you do your homework and press your contractor partners to hew to an internal policy that you write up or model on other agencies', it's possible to create a wireless network that's as secure as a wired LAN.