LAN security is one of the impediments to implementing
WLANs in an organization. But here are some basic guidelines
to secure wireless LANs. by Milind Kamat
wireless and the first thought that comes to mind is
insecurity. Someone can easily tap into your communications
just by driving past your office. But the other side
of the coin is that for the military, wireless is the
only viable means of communication, and you know how
particular military people are about security.
With 128-bit and then 256-bit encryption, intruders
will require tomorrow's supercomputers to decode today's
encrypted messages. So that secures data sent through
wireless networks. What remains are misconceptions about
the technology behind wireless security. Not only the
IT manager, but even governments have their fears, and
hence have hesitated in opening up the wireless spectrum
to the common man.
This article focuses on the Wireless LAN (WLAN) issue,
as it has recently been deregulated by the government,
and is going to make a big impact in the near future.
The article will offer tips on how to make your WLAN
secure enough for business and enterprises.
More than the actual short-comings of WLAN, it is the
wired inertia of the mind towards wireless technology
that acts as a barrier. Did you think about that while
using the mobile or a cordless phone? Even mobile to
mobile communication at some point of time passes over
a wire. Similarly, WLAN is to be viewed as an extension
of the wired network.
Though WLAN broadly falls under the wireless category,
it is still different. WLAN technology is meant for
local area networksnot for wide area networks.
WLAN is for in-building or campus area coverage of mobile
computing users, and not for cellular phones, cordless
phones or pagers. WLAN can also offer point-to-point
communication between LANs separated by a few miles.
WLAN is aimed at customers owning the equipment, and
not aimed towards usage charges or the subscriber model.
WLAN IS INESCApable
WLAN is simple to install. But you do need to address
the security issues carefully. According to a Gartner
report published in August 2001, 'rogue' WLANs exist
in about 20 percent of enterprises.
Somebody may already be planning to tap into your WLAN.
So it's best to plan for WLAN and take the required
measures to secure it. Planning WLAN and its security
gives you a fresh look at the wired LAN, it helps you
and plug security holes in your wired network.
The Internet is becoming the default medium for communications.
Packets of information travel through the Internet,
moving through many unknown networks. And we don't have
control over these packets. The movement of packets
in this fashion is similar to a wireless signal traveling
without your control. When you access the Internet your
network is exposed
to many threats. So by no means are wired networks as
secure as we think.
WLAN shortcomings are similar to those of hub-based
Ethernet networks, a decade ago. Wireless security is
evolving just as security over Ethernet evolved over
a period. The very nature of WLAN makes it intrinsically
more vulnerable than wired LAN.
Over a period of time, people have attempted to secure
the network by deploying firewalls. Most of the networks
and firewall locations are not designed for incorporating
WLANs. To make things worse, wireless access points
are mostly deployed behind the corporate firewall. That
calls for a re-design of network or the creation and
enforcement of policies for wireless users.
Within the 2.4GHz band there are 11 prefixed channels.
These channels help avoid collisions and increase effective
bandwidth. But since these are prefixed as standard
channels, they can be detected using certain utilities.
This is a security hazard.
BSSID & SSID are the workgroup names given internally.
Some access points openly broadcast these SSID/BSSID
to authorized users, which enables the intruder to steal
it and assume the identity of an authorized user.
Does that mean wireless today has no security at all?
Users must follow a code of strict discipline while
using WLANs. One should take extra precautions towards
the wireless PC connectivity devices. Wireless USB adapters
and wireless PC cards would become as valuable as the
office door key. Here are some key guidelines.
Some vendors ship products with WEP control disabled.
Verify that this control is available in each access
point you buy.
Disable open broadcast of SSID/BSSID from the access
128- or 256-bit encryption provide high levels of
security. Insist on minimum 256-bit encryption.
Change your Internet password every 15 days. It is
advisable to change the WEP encryption key regularly.
There is a MAC address table in each access point. Typically
64 MAC addresses can be stored. Access by other MAC
addresses can be denied. Thus packets from unauthorized
users holding different MAC addresses will be dropped
by the access point itself.
Some users may not find these security measures adequate.
There are two very logical solutions. One is to build
more security before the signal gets into the wired
network. This means building more complex security algorithms.
But this reduces the effective bandwidth, which is very
limited as compared to a wired network. This also demands
more processing power at every PC connecting device
and on the access point. This leads to increase in cost,
which is much higher than the 100 Mbps wired network.
There are new standards proposed and some products with
proprietary protocols are available. The second approach
is to build more security at the entry-point into the
wired network. This is prudent because then the network
becomes independent of devices and different wireless
standards (802.11a, 802.11b, 802.11g, 802.1x.)
The golden rule is to secure the interface between the
wireless and wired network. This is very much similar
to the Internet entry point of the network. You can
build all the necessary protection at that point. You
can use some of the existing security mechanisms for
wired networks. For example, you can use a switch with
intrusion control detection capability to detect packets
from the wrong MAC address. You can also use normal
SNMP software to alert the network administrator.
Having followed these basic practices you can go on
enhancing security measures. If you have the authentication
process set on your wired network, you need a controlling
device, which can make traffic from all access points
follow that without choice. Thus all the resources behind
the access point get all the security existing on the
wired LAN and that is the ultimate security that is
REALISING ULTIMATE SECURITY
The device should communicate with an internal policy
server before allowing any resource on the network.
Create server access control and activity logs in the
server for all users.
Check the password on the security server. Store the
passwords on the security server. Let this server support
any authentication processes set by the wired network.
Make the solution totally independent of wireless technology
or the protocol used. So instead of using proprietary
standards in wireless it is better to depend on open
Keep logs and manage access control to the level of
"When? Where? How long?"
The writer is Country Manager, SMC Networks,
India. He can be reached at firstname.lastname@example.org