FEATURE: Wireless security for the enterprise

What You Don't Allow May Still Hurt You
Network Chemistry's Dr. Chris Waters makes the case that a "no wireless" policy doesn't mean no wireless security risks for the enterprise.

Enterprise networks are at risk. This is true for both enterprises using WLAN technology and those that have a "no wireless" policy. WLANs, of course, are inherently risky because they use the open airwaves for communications. The risks, however, have not stopped enterprises or end users from embracing WLANs because it increases employee convenience and productivity and is more efficiently manufactured. Networking and operations planners, however, must hold security as the primary concern when planning and subsequently deploying a wireless infrastructure. Ignoring security threats can leave an enterprise's core network open to attackers, allowing them access to customer data and other confidential information. Such security breaches leave companies legally liable.

The security risks posed by wireless networks are many, but the greatest one is unauthorized rogue Access Points (APs). Rogue APs affect organizations that have deployed wireless networks as well as those that have instituted a "no wireless" policy. A more sophisticated variation of rogue APs, called WiPhishing, involves setting up a rogue AP that spoofs any AP to which it sees clients attempting to connect. Similarly, ad hoc networks can constitute an equally malicious threat by allowing access to an organization's network, but these are far easier to set up since any 802.11 client can be configured in this mode. Once set up, other users can use the ad hoc network to connect to the wired network, creating an unauthorized entry point into sensitive corporate data and other confidential information.

When one considers the threats of rogue APs and ad hoc networks along with denial of service (DoS) attacks, man in the middle (MiTM) attacks, and the highly publicized Wired Equivalent Privacy (WEP) insecurities, it's no wonder so many enterprises institute "no wireless" policies. However, enterprises can mitigate many of these risks by following several best practices for wireless deployments. In short, the best way to maintain the security of a wireless network is to treat it just like any untrusted network.

In addition to using 802.11i for authentication and confidentiality, enterprises should use a VPN to provide end-to-end security from the client to a termination point located off the wireless LAN and on a trusted network segment. Furthermore, the wireless segment should be heavily firewalled to only allow 802.1x authentication and VPN traffic to pass through to the wired network. While these precautions mitigate the risks of MiTM attacks and WiPhishing, they still leave the question of how to effectively combat rogue APs unanswered.

One solution to the rogue AP problem is to look for changes in the MAC address tables of the enterprise's managed switches. However, this is largely a trial-and-error process. It's also made more difficult by the increase in commodity APs that allow users to "clone" the MAC address of another computer. This feature's original intention was to allow home users to more easily set up routers with their broadband service. Unfortunately, it also enables an attacker to set up a rogue AP to appear to be an authorized machine, making it far more difficult to detect. The only real way to effectively mitigate the risk of rogue APs and DoS attacks is to comprehensively monitor WLANs around-the-clock using wireless sensors. This is critical because many wireless attacks will not be visible to a traditional wired network Intrusion Prevention System (IPS) or other wired security systems.

By deploying a dedicated wireless security system that monitors each of the wireless communication channels, an enterprise can more effectively respond to WLAN security issues. If an enterprise is not currently using such a solution, it won't know how effective its security architecture is until it's too late. Enterprises with "no wireless" policies still need to monitor their airwaves if they want to enforce it. Monitoring the environment around-the-clock provides the added detection and visibility that is needed to secure the airwaves.

While detection is the first step, it's also where the part-time security capabilities built into traditional APs stop. A purpose-built wireless intrusion and detection system (WIDP) provides the critical next step necessary to automate threat protection. It does this by automatically responding to wireless threats based on how the policies have been set to best meet enterprise business objectives. Part-time security features on traditional APs cannot support this capability; a dedicated system is needed. Full-time WIDP systems can operate autonomously to contain threats without any action on the part of IT personnel.

In selecting a WIDP for deployment, network and security personnel must choose an architecture that meets their security requirements. As discussed, APs can provide some limited visibility, but a dedicated system is needed for enterprises with sensitive information or needs to adhere to compliance regulations. The most advanced dedicated solutions use a two-tiered architecture with purpose-built security sensors that continuously monitor the airwaves. Critical data from each sensor is communicated to a regional or centralized security server that aggregates, archives, and completes detailed correlation analysis using sophisticated algorithms to quickly identify security risks and performance anomalies. If a threat is detected or a problem is discovered, an alert is sent to the security console (or to an integrated third-party system). Then the security sensors automatically de-authenticate the rogue device and contain it until personnel can investigate.

Clearly, wireless networks are inherently at risk and need to be protected. A lack of security opens an enterprise up to the vulnerabilities discussed above and to the threat that someone will unknowingly or maliciously exploit them. Even enterprises touting a "no wireless" policy must monitor their facilities to ensure that the policy is enforced. Dedicated wireless security ensures safe and reliable wireless networking.

Dr. Chris Waters is chief technology officer at Network Chemistry.