Networker: WLAN Security
Overcome Wireless Insecurity

Wireless LAN security is one of the impediments to implementing WLANs in an organization. But here are some basic guidelines to secure wireless LANs. by Milind Kamat

Think wireless and the first thought that comes to mind is insecurity. Someone can easily tap into your communications just by driving past your office. But the other side of the coin is that for the military, wireless is the only viable means of communication, and you know how particular military people are about security.

With 128-bit and then 256-bit encryption, intruders will require tomorrow's supercomputers to decode today's encrypted messages. So that secures data sent through wireless networks. What remains are misconceptions about the technology behind wireless security. Not only the IT manager, but even governments have their fears, and hence have hesitated in opening up the wireless spectrum to the common man.

This article focuses on the Wireless LAN (WLAN) issue, as it has recently been deregulated by the government, and is going to make a big impact in the near future. The article will offer tips on how to make your WLAN secure enough for business and enterprises.

More than the actual short-comings of WLAN, it is the wired inertia of the mind towards wireless technology that acts as a barrier. Did you think about that while using the mobile or a cordless phone? Even mobile to mobile communication at some point of time passes over a wire. Similarly, WLAN is to be viewed as an extension of the wired network.

Though WLAN broadly falls under the wireless category, it is still different. WLAN technology is meant for local area networks—not for wide area networks. WLAN is for in-building or campus area coverage of mobile computing users, and not for cellular phones, cordless phones or pagers. WLAN can also offer point-to-point communication between LANs separated by a few miles. WLAN is aimed at customers owning the equipment, and not aimed towards usage charges or the subscriber model.

WLAN IS INESCApable
WLAN is simple to install. But you do need to address the security issues carefully. According to a Gartner report published in August 2001, 'rogue' WLANs exist in about 20 percent of enterprises.

Somebody may already be planning to tap into your WLAN. So it's best to plan for WLAN and take the required measures to secure it. Planning WLAN and its security gives you a fresh look at the wired LAN, it helps you identify
and plug security holes in your wired network.

WLAN CHALLENGES
The Internet is becoming the default medium for communications. Packets of information travel through the Internet, moving through many unknown networks. And we don't have control over these packets. The movement of packets in this fashion is similar to a wireless signal traveling without your control. When you access the Internet your network is exposed to many threats. So by no means are wired networks as secure as we think.

WLAN shortcomings are similar to those of hub-based Ethernet networks, a decade ago. Wireless security is evolving just as security over Ethernet evolved over a period. The very nature of WLAN makes it intrinsically more vulnerable than wired LAN.

Over a period of time, people have attempted to secure the network by deploying firewalls. Most of the networks and firewall locations are not designed for incorporating WLANs. To make things worse, wireless access points are mostly deployed behind the corporate firewall. That calls for a re-design of network or the creation and enforcement of policies for wireless users.

Within the 2.4GHz band there are 11 prefixed channels. These channels help avoid collisions and increase effective bandwidth. But since these are prefixed as standard channels, they can be detected using certain utilities. This is a security hazard.

BSSID & SSID are the workgroup names given internally. Some access points openly broadcast these SSID/BSSID to authorized users, which enables the intruder to steal it and assume the identity of an authorized user.

Does that mean wireless today has no security at all? Certainly not.

SECURE SOLUTIONS
Users must follow a code of strict discipline while using WLANs. One should take extra precautions towards the wireless PC connectivity devices. Wireless USB adapters and wireless PC cards would become as valuable as the office door key. Here are some key guidelines.

• Some vendors ship products with WEP control disabled. Verify that this control is available in each access point you buy.
• Disable open broadcast of SSID/BSSID from the access points.
• 128- or 256-bit encryption provide high levels of security. Insist on minimum 256-bit encryption.
• Change your Internet password every 15 days. It is advisable to change the WEP encryption key regularly.

There is a MAC address table in each access point. Typically 64 MAC addresses can be stored. Access by other MAC addresses can be denied. Thus packets from unauthorized users holding different MAC addresses will be dropped by the access point itself.

Some users may not find these security measures adequate. There are two very logical solutions. One is to build more security before the signal gets into the wired network. This means building more complex security algorithms. But this reduces the effective bandwidth, which is very limited as compared to a wired network. This also demands more processing power at every PC connecting device and on the access point. This leads to increase in cost, which is much higher than the 100 Mbps wired network. There are new standards proposed and some products with proprietary protocols are available. The second approach is to build more security at the entry-point into the wired network. This is prudent because then the network becomes independent of devices and different wireless standards (802.11a, 802.11b, 802.11g, 802.1x.)

The golden rule is to secure the interface between the wireless and wired network. This is very much similar to the Internet entry point of the network. You can build all the necessary protection at that point. You can use some of the existing security mechanisms for wired networks. For example, you can use a switch with intrusion control detection capability to detect packets from the wrong MAC address. You can also use normal SNMP software to alert the network administrator.

Having followed these basic practices you can go on enhancing security measures. If you have the authentication process set on your wired network, you need a controlling device, which can make traffic from all access points follow that without choice. Thus all the resources behind the access point get all the security existing on the wired LAN and that is the ultimate security that is achievable.

REALISING ULTIMATE SECURITY
The device should communicate with an internal policy server before allowing any resource on the network. Create server access control and activity logs in the server for all users.

Check the password on the security server. Store the passwords on the security server. Let this server support any authentication processes set by the wired network.

Make the solution totally independent of wireless technology or the protocol used. So instead of using proprietary standards in wireless it is better to depend on open standards.

Keep logs and manage access control to the level of "When? Where? How long?"

The writer is Country Manager, SMC Networks, India. He can be reached at milind.kamat@smc-asia.com