Secure Your Wireless Network

Understanding the threats and how to protect your network against them

Convenience at a Price

The convenience of wireless networks comes with a price though. Wired network access can be controlled because the data is contained within the cabling that connects the computer to the switch. With a wireless network, the “cabling” between the computer and the switch is called “air”, which any device within range can potentially access. If a user can connect with a wireless access point from 300 feet away, then in theory so can anyone else within a 300 foot radius of the wireless access point.

Threats to Wireless Network Security

  • Rogue WLAN’s – Whether your enterprise has an officially sanctioned wireless network or not, wireless routers are relatively inexpensive, and ambitious users may plug unauthorized equipment into the network. These rogue wireless networks may be insecure or improperly secured and pose a risk to the network at large.
  • Spoofing Internal Communications – An attack from outside of the network can usually be identified as such. If an attacker can connect with your WLAN, they can spoof communications that appear to come from internal domains. Users are much more likely to trust and act on spoofed internal communications.
  • Theft of Network Resources – Even if an intruder does not attack your computers or compromise your data, they may connect to your WLAN and hijack your network bandwidth to surf the Web. They can leverage the higher bandwidth found on most enterprise networks to download music and video clips, using your precious network resources and impacting network performance for your legitimate users.

Protecting Your Network from Your WLAN

The improved security is an excellent reason to set your WLAN up on its own VLAN. You can allow all of the wireless devices to connect to the WLAN, but shield the rest of your internal network from any issues or attacks that may occur on the wireless network.

Using a firewall, or router ACL (access control lists), you can restrict communications between the WLAN and the rest of the network. If you connect the WLAN to the internal network via a web proxy or VPN, you can even restrict access by wireless devices so that they can only surf the Web, or are only allowed to access certain folders or applications.

Secure WLAN Access

Wireless Encryption
One of the ways to ensure unauthorized users do not eavesdrop on your wireless network is to encrypt your wireless data. The original encryption method, WEP (wired equivalent privacy), was found to be fundamentally flawed. WEP relies on a shared key, or password, to restrict access. Anyone who knows the WEP key can join the wireless network. There was no mechanism built in to WEP to automatically change the key, and there are tools available that can crack a WEP key in minutes, so it won’t take long for an attacker to access a WEP-encrypted wireless network.

While using WEP may be slightly better than using no encryption at all, it is insufficient for protecting an enterprise network. The next generation of encryption, WPA (Wi-Fi Protect Access), is designed to leverage an 802.1X-compliant authentication server, but it can also be run similar to WEP in PSK (Pre-Shared Key) mode. The main improvement from WEP to WPA is the use of TKIP (Temporal Key Integrity Protocol), which dynamically changes the key to prevent the sort of cracking techniques used to break WEP encryption.

Even WPA was a band-aid approach though. WPA was an attempt by wireless hardware and software vendors to implement sufficient protection while waiting for the official 802.11i standard. The most current form of encryption is WPA2. The WPA2 encryption provides even more complex and secure mechanisms including CCMP, which is based on the AES encryption algorithm.

To protect wireless data from being intercepted and to prevent unauthorized access to your wireless network, your WLAN should be set up with at least WPA encryption, and preferably WPA2 encryption.

Wireless Authentication
Aside from just encrypting wireless data, WPA can interface with 802.1X or RADIUS authentication servers to provide a more secure method of controlling access to the WLAN. Where WEP, or WPA in PSK mode, allows virtually anonymous access to anyone who has the correct key or password, 802.1X or RADIUS authentication requires users to have valid username and password credentials or a valid certificate to log into the wireless network.

Requiring authentication to the WLAN provides increased security by restricting access, but it also provides logging and a forensic trail to investigate if anything suspicious goes on. While a wireless network based on a shared key might log MAC or IP addresses, that information is not very useful when it comes to determining the root cause of a problem. The increased confidentiality and integrity provided are also recommended, if not required, for many security compliance mandates.

With WPA / WPA2 and an 802.1X or RADIUS authentication server, organizations can leverage a variety of authentication protocols, such as Kerberos, MS-CHAP (Microsoft Challenge Handshake Authentication Protocol), or TLS (Transport Layer Security), and use an array of credential authentication methods such as usernames / passwords, certificates, biometric authentication, or one-time passwords.

Wireless networks can increase efficiency, improve productivity and make networking more cost effective, but if they are not properly implemented they can also be the Achilles heel of your network security and expose your entire organization to compromise. Take the time to understand the risks, and how to secure your wireless network so that your organization can leverage the convenience of wireless connectivity without creating an opportunity for a security breach.