Securing the wireless network

Wireless LANs can greatly increase productivity and flexibility by providing anytime, anywhere access to business networks and systems. The properties that make wireless LANs so convenient, however, can also leave them vulnerable to misuse and attack by unauthorised or malicious users, says Suresh P K

The rapid growth of wireless LANs in the enterprise demands that enterprises adopt new security methodologies tailored to the unique requirements and weaknesses of wireless networks. Like wired network security, wireless network security also requires a multi-pronged approach. Wireless networks work on radio waves and they cannot be restricted to an area. Anyone within the coverage area of the access point will be able to connect to your network. It could be someone in your neighbor’s office curious about your business or someone in the parking space enjoying a free ride on your Internet connection. A wireless LAN deployment without appropriate security considerations could create a backdoor into your fortified wired network. It is essential to identify and acknowledge security threats and choose a solution that sufficiently mitigates threats to your network.

Authentication and encryption solution

MAC Address Filtering and WEP are some of the basic methods used for wireless security. In MAC filtering, access points should be configured with the list of MAC addresses of the wireless clients that are permitted to connect to the network. Since, a MAC address can be spoofed easily, it will take very little effort for any attacker to break into the network. WEP or Wired Equivalent Privacy requires that a static key be manually configured on the access points and the wireless clients like laptops. Any data exchanged between these devices will be encrypted using the static key. One of the main advantages of WEP is that it is supported on almost all wireless LAN devices and does not require any additional components for implementation. Apart from the weak algorithm used by WEP, the static key has to be manually configured on all devices. This is an administrative overhead and usually administrators do not change the key frequently enough providing sufficient time for hackers to analyse the traffic and crack the encryption. WEP is a minimum level of security that any wireless LAN must have. It is better than giving a free ride to hackers.

A strong wireless security solution should be able to provide strong encryption and automatic key exchange. IPSec VPN solution is a network layer wireless LAN security solution that meets these requirements. All the wireless clients will have VPN client software running and any communication between the client and the network will be encrypted in an IPSec tunnel, which could be terminated on a VPN concentrator before the data enters the corporate network through a firewall. The strength of a VPN solution is that it is a trusted, proven cryptographic system that has been extensively tested. Moreover, the VPN clients used for wired access can be used for wireless access also. But, IPSec is a layer-3 security solution and the layer-2 will be open for hackers to disrupt your wireless network. Attackers can launch attacks against other wireless network users or perform denial-of-service attacks. Moreover, considerably high performance VPN concentrators will be required to terminate LAN speed connections to corporate network.

One of the increasingly popular wireless security solutions is based on the 802.1X IEEE standard. This standard enables authentication for LANs, including Ethernet, IEEE has been working for long on a comprehensive security standard for wireless security, which would address all the issues in WEP. This standard was ratified on 24 June 2004 and is called 802.11i. Wireless device vendors have started integrating this standard into their products. But, the key challenge with this solution will be that not all existing WEP-capable access points and clients will support AES encryption. Organisations might have to upgrade their wireless LAN hardware to use 802.11i solution.

Wireless IDS and IPS

It is mandatory that administrators evaluate the different authentication and encryption mechanisms and choose the one that suits their environment the best. But, a strong authentication or encryption mechanism is not sufficient to ensure complete security.

Wireless networks demand continuous monitoring and it can be difficult for administrators to ensure that devices adhere to the security policy. Hence, WLAN Intrusion Detection System (IDS) and Intrusion Prevention Systems (IPS) products have become an essential component for any wireless LAN deployment. Wireless LAN IDSs attempt to identify network intrusions and misuse by gathering and analysing data. Wireless IDSs can monitor and analyse user and system activities, recognise patterns of known attacks, identify abnormal network activity, and detect policy violations for wireless LANs and notify the administrator. Though some of the AP vendors have in-built capabilities to detect rogue APs and also some basic wireless LAN security vulnerabilities, they do not provide the extensive feature sets that are available in IDS products and these products will use the active APs, which could affect the performance of the network. For large deployments, it is recommended that the enterprises choose a standalone wireless LAN IDS solution.

Typically, a wireless IDS has a central management server and sensors distributed all across the wireless network. The sensors monitor the network continuously and updates the central server about any issues. Based on this information, the central server can be configured to take action.

Consider the usability and the number of security/performance issues supported before deciding on a wireless IDS solution. While the cost can be a prohibitive factor, the advantages of wireless LAN IDS can easily outweigh the cost. Perhaps, investment in a good wireless LAN IDS solution can reduce the administration resource requirements to a large extent and hence bring down maintenance costs.

Suresh P K is a Technical Consultant, RADAR, Information Security Solution, Ramco Systems Ltd. He can be contacted at: sureshpk@rsi.ramco.com