Wireless LANs offer small and medium businesses a wealth of benefits. SMBs are often tempted to begin consumer grade (home office) WLAN products. While recent home office products have improved security features over earlier generations, they still may not meet requirements of many growing businesses, especially businesses that have accumulated critical electronic business assets, have a growing mobile or roaming workforce, are connected via telephone answering services, or serve industry segments that must satisfy regulatory requirements. Such SMBs must pay closer attention to WLAN security.
Guidelines for Securing WLANS
Use this list as a guide to implementing Security for your Wireless LANs:
- Create a wireless security policy.
- Perform a WLAN site survey.
- Perform a WLAN security audit to identify existing vulnerabilities.
A WLAN security audit checks to see if your WLAN networks are vulnerable to attacks resulting from configuration errors, if equipment or software you use have critical flaws that attackers can exploit to penetrate your network, if your network is vulnerable to denial of service, impersonation (rogue AP, DHCP, or other spoofing) attacks, and more. Additional considerations may exist if your business is subject to regulatory guidelines (SOX, PCI, HIPAA...)
- Prune points in the topology where broadcast traffic creates an unnecessary exposure to passive monitoring.
This security concern exists for all broadcast media. Read What Broadcast Traffic Reveals to understand the broader set of issues.
- At a minimum, use WiFi Protected Access (WPA) to provide short-lived session keys, message confidentiality and integrity. Better yet, do consider upgrading your WLAN to WPA2.
WPA2 uses the Advanced Encryption Standard (AES) for data confidentiality and integrity, a stronger form of encryption than is available from WPA. WPA2 also offers improved roaming over WPA.
- Enable IEEE 802.1x port-based authentication and key distribution
This requires a RADIUS server with 802.1X, a digital certificate for the EAP-TLS server, and one of the EAP types your client hosts support; for Microsoft networks, EAP-TLS, Protected EAP/MSCHAPv2. Some SMBs may achieve satisfactory security by using WPA2 with a strong, shared Pre-Shared Key (PSK) or per user PSKs where 802.1x isn't available on all wireless equipment.
Most SMBs don't have a security policy much less one that assesses risks associated with wireless networks. Creating a wireless security policy provides an excellent overview of how to perform this task.
Evaluate radio transmission and coverage to reduce unnecessary exposure (leakage) of your WLAN signals to intruders. Determine the data rates you'll obtain from the topologies you are able to deploy. My partner, Lisa Phifer, observes that "using site surveys to limit external
exposure has become somewhat of a losing battle. With 802.11n, wireless transmissions go farther, propagating in oddly shaped and variable ways. Place APs so that most of their transmit power falls inside the intended coverage area."
Access Controls to Protect WLANs
Here are some specific access control measures to consider to protect your infrastructure (access points, switches), clients and servers from unauthorized access or misuse:
- Take measures to prevent unauthorized clients from acquiring dynamically assigned addresses from your Access Points. For example, use static IPs, or use DHCP only after IEEE 802.1x MAC authentication).
- Apply all available measures on your Access Points or WLAN switches to secure them from unauthorized access. For example, do not use plaintext protocols such as SNMP, Telnet or HTTP to access management services. Configure strong passwords and access controls. Restrict systems from which management access is permitted.
- Consider placing firewalls or application proxies between client and server subnets. Consider network admission - "scan before connect" - technologies offered by WLAN switch vendors.
- Add policies to your firewall to restrict the Intranet servers that (mobile) WLAN clients can access.
- If you offer guest (visitor) use of wireless service, separate this WLAN from your trusted network. Place guest WLAN outside your trusted network, on your optional/DMZ interface, or separate traffic using VLAN/802.1q tagging. Use guest accounts and require login (guest authentication). Log and audit guest activity.
- If appropriate, add policies to your firewall to allow WLAN clients access other sites in your organization.
- If appropriate, add policies to your firewall to allow WLAN clients access to the public Internet.
- Configure your interdepartmental firewall policies so that traffic from WLAN and wired clients are subjected the same policy.
- Make certain all WLAN clients are protected with anti-virus, anti-spyware and personal firewall software.
- Deploy VPN clients on mobile WLAN devices, to encrypt traffic and provide stronger authentication when workers access trusted networks from public access and home networks. Assign addresses to VPN clients from a secondary IP subnet to segregate and control WLAN client traffic.
- Expand your intrusion detection measures to encompass WLAN clients. Continue to monitor RF and coverage for rogue access points and possible channel contention with other companies.
- Log and audit at all layers where you apply security.
You can find more information about these and many other wireless security matters at Lisa Phifer's WLAN CORner