Chapter 3: Securing Your WLAN

In This Chapter

Finding out why using a secure WLAN is good practice

Checking out various security risk mitigation methods

Securing your management interface

To work with wireless networking, you need to know how to utilize the many options available to secure various aspects of your wireless network so that your data and private information remain private. Unlike wired networks, with wireless, you can never be sure where the users might be, which complicates network security. You can choose from many methods to secure wireless signals, such as Wi-Fi Protected Access (WPA) and WPA2; or to secure the entire wireless local area network (WLAN) or service set identifier (SSID), such as isolation via virtual local area networks (VLANs) or physical separation of the entire WLAN infrastructure.

In this chapter, I review some of the risks that you have to deal with and discuss the steps that you can take to reduce them.

Give the contents of this chapter a lot of thought prior to deploying your wireless network within your organization because wireless security is even more important than most other areas of network security because it is attacked from outside of your organization’s premises.

This chapter helps you assess your own organization’s security requirements and data risk levels that allow you to more easily develop a security model for your wireless implementation that is flexible for your users and secure for your data.

Understanding the Benefits of a Secure WLAN

The reason to secure your WLAN is pretty self-evident: To protect your data from prying eyes who may be a fair distance from your wired network connections.

Finding balance between functionality and security

Although inherent security risks are present with practically everything you do in life, steps can be taken to reduce them. If you are going for a walk in a strange town, you might stay on well-lit roads, carry only a limited amount of cash and credit cards, walk with other people, and stay aware of your surroundings. All these things may limit what might happen to you on your walk. Taken to more of an extreme, you can always choose to not go on the walk at all.

In the computer world, if you do not network your computers, you reduce, or all but eliminate, the risk of what can happen to your computer by undesirable elements, but you also reduce its functionality. So, security and functionality are tradeoffs for one another — at least to a degree. You can add a modem or a network card, attach your computer to other computers to share data, perform remote operations, and mitigate the risk of having these computers connected to each other and possibly the Internet by using antivirus software, software and hardware firewalls, intrusion-detection software and hardware, and other security and monitoring devices.

When you decide to add a wireless network to this mix, you have many of the same issues, but these issues are compounded because people can have local access to the network without actually being within physical access of your hardware (in your building or offices). Again, the added functionality of mobility needs to be weighed against the added risks of remote users exploiting security holes and getting to your private data.

Recognizing security risks

As with any wired network, any number of attacks can be perpetrated if an unauthorized computer is allowed to connect to your network. On secure networks, all unauthorized ports of network switches are disabled or disconnected; however, this is not possible when dealing with wireless networks in which the access point (AP) radio is either on or off.

• Unauthorized access: When a computer is on your network, it can sniff packets, perpetrate man-in-the-middle attacks, spoof valid network packets, capture passwords and other sensitive information, and cause a denial-of-service (DoS) attack. Controlling which computers are allowed to connect to your network can reduce your exposure to these security issues.

• Insecure equipment: Most networks have removed all their network hubs and replaced them with switches, which are more secure because switches treat each network switch port as a separate collision domain (in the carrier sense multiple access collision detect [CSMA/CD] sense), which means that when a device on port 1 sends frames to a device on port 2, and both MAC addresses are known to the switch, those frames only travel along the cables connected to port 1 and port 2. When a hub is used, however, the frame travels to every device connected to every port on the hub.

• Insecure APs: When dealing with wireless networks, an AP operates in the same manner as a hub, so all devices that are connected wirelessly to an AP radio can see all traffic that is sent on that radio. If a device is allowed to join a wireless network, it can perpetrate any number of attacks on the devices connected to the same AP as well as other attacks that only require it to be on the same network segment.

Some of the new standalone APs (such as the Cisco Aironet 3500 Series APs) and the Cisco Wireless LAN Controller (WLC) support the ability to isolate clients from each other. Although this is not truly isolation from the radio frequency (RF) perspective, it does allow for better security in situations when wireless security is your absolute highest priority. The cost of throughput on your network increases because it keeps wireless clients from talking to each other over the wireless network. This feature is useful in locations, such as coffee shops and common areas, where all wireless users want to get on the Internet but rarely need to transfer files between each other.

Checking Out Security Risk Mitigation Methods

When working with most wireless networking equipment, you have the following ways to protect your network data:

• Authentication and data encryption

• Media Access Control (MAC) address filtering

• Hiding the service set identifier (SSID)

• Intrusion detection and prevention

• User isolation using VLANs

The following sections examine these options in detail.

Authentication and data encryption

Authentication and data encryption comprise a large topic. Three main methods handle authentication and data encryption. I start with the oldest option, which everyone seems to have finally heard about, and then I move on to the newer options that provide substantially better security but are a little more work to set up, which is likely the reason adoption has been slow, but improving.

Reviewing WEP

One of the first major complaints that arose from wireless networking was from the security community. Quite rightly, the complaint was that with RF signals being broadcast over the air, nothing could stop someone from reaching out and grabbing them. At least with wired networking, a person had to be connected physically to the same hubs or switches to eavesdrop on a network conversation.

To deal with this issue, Wired Equivalent Privacy (WEP) was introduced. The goal of WEP is to provide the same level of privacy that you would have if you were still connected to a wired network. The goal was good; however, as with a better-built mousetrap, you end up with smarter mice.

The basis of WEP involves two sets of mechanisms:

• Authentication: You need to prove your identity before participating in the network.

• Encryption: Everything you send over the airwaves should be encrypted.

The basis of WEP encryption is tied to an encryption key, which is typically either 64-bit WEP or 128-bit WEP. With 64-bit WEP, you use a 40-bit key that is joined with a 24-bit initialization vector (IV) to generate an RC4 (Rivest Cipher 4) stream cipher. A 128-bit WEP uses a 104-bit encryption key, which is then joined with the 24-bit IV to create the RC4 cipher.

An encryption key is a string of text that is used in a cipher (or process) to encrypt data. Ciphers have been around for thousands of years and typically offer encryption strength though the strength of the key and the strength of the cipher process itself. If the cipher is strong enough, the only way you can read the data is to know the cipher and have the key. During WWII, the Germans created a cipher machine, dubbed the Enigma machine, with replaceable key wheels (or rotors). Allied forces captured several Enigma machines during WWII, but until they captured a book that listed which key wheels to use on which date, the machine was useless in directly reading German coded messages. In that situation, the encryption key is made up of the replaceable key wheels, and the cipher was the process that the machine used to internally code the messages based on the current key configuration.

Although WEP gives you a quick and efficient way to encrypt and decrypt traffic at high speed, it has some serious flaws. Even if you cannot read the data, you can still capture data packets off a wireless network because they travel over the air. One of the issues is that the IV must be unique for every packet that is sent over a time period, and because the IV is only 24 bits long, it can start repeating in as little as 5,000 packets, so it is not as random or secure as it could be. WEP has consistently been proven to be broken in as little as one minute and can be broken with readily available software. Given this, WEP is not considered to be reliably secure for networks. Payment Card Industry (PCI), which sets standards for credit and debit card transactions, prohibits the use of WEP in any part of a credit card transaction.

The WEP authentication can be configured as an open system that does not require authentication but rather starts a conversation with any device. That device is still required to know the WEP key if encryption is enabled.

If shared key authentication is used, all devices start their communication with the AP with a four-way handshake process, as shown in Figure 3-1:

1. The client sends an authentication request.

2. The AP sends a challenge (a random piece of data) to the client.

3. The client then encrypts the challenge by using the WEP key and returns it to the AP.

4. The AP decrypts the data it receives and compares it with the data it sent in the initial challenge. If the data matches, the device is sent an acknowledgment; if it does not match, it is sent a refusal.

If the client is authenticated, it can start sending data to the AP, likely encrypting it using its WEP key.

Looking at the big picture, when compared to a wireless network with no authentication or encryption services, WEP offers a great deal of protection. However, based on WEPs limitations, it should not be used for sensitive data or connected to networks that contain sensitive data. Here are the many places this light security option can be beneficial:

• Low security environments: For instance, you can use WEP on a system to stream music from your Apple iPod to your IEEE 802.11b wireless speakers. A system like that can be isolated from your home wireless network and does not contain much sensitive data (other than what is on your playlist).

• Supporting legacy devices: Another reason you may choose WEP over the other choices is the age of the wireless device you use, or what features it supports. I have many devices around ten years old that are still used on a wireless network. These old devices do not support the newer WPA and WPA2, so I am limited to WEP and managing what access that AP has to the rest of my network resources.

Getting serious with WPA

Due to the limitations of WEP, Wi-Fi Protected Access (WPA) was developed by the Wi-Fi Alliance. WPA makes use of most of the recommendations that are included in the IEEE 802.11i specification, which lays out security standards for wireless networks.

Rather than using a static encryption key like with WEP, WPA makes use of Temporal Key Integrity Protocol (TKIP), which can be implemented easily because it is a minor, but effective, upgrade. Rather than using a plain text IV to create the cipher key as WEP does, WPA combines the IV with a secret root key (which is a stronger encryption key); it also implements a sequence counter — all packets must arrive at the AP in the correct order, or they are rejected. Finally, WPA provides a rekeying function that updates the encryption key and neutralizes people who try to break the key because it changes at regular intervals.

Basically, TKIP manages the encryption process in a manner that is similar to WEP, but it adds an integrity check to verify all arriving packets. There are still many documented attacks that can be successfully carried out on a WPA network using TKIP, and as such, WPA required additional updating, which you see in the following section.

Getting even more serious with WPA2

WPA2 followed after WPA and implements all the IEEE 802.11i mandatory elements, which included making the encryption method stronger and introducing a new integrity check mechanism. WPA2 was developed by the Wi-Fi Alliance as a replacement for WPA.

The implementation of Advanced Encryption Standard (AES) increased the level of encryption to a place still considered the safest on the market. The initial key was set with either certificate-based authentication (using standard SSL public/private key pairs) or a shared secret (a string known by all parties in the encryption system). When security is initialized with a shared secret, entrance to the secured network provides a breach point (anyone who knows the key), whereas certificate-based authentication provides a less vulnerable option. Certificate-based authentication is available when using enterprise-mode authentication, whereas shared secret — also called a pre-shared key (PSK) — is used for personal-mode authentication.

The key difference between enterprise-mode and personal-mode authentication is that in the enterprise environment, the Remote Authentication Dial In User Service (RADIUS) services are provided to the network and available to be used with WPA2 authentication. A RADIUS server is an Authentication, Authorization, and Accounting server on your network. The RADIUS server works with an account database to validate user credentials for devices that support the RADIUS protocol in a secure and encrypted manner.

AES encryption can be managed with various key lengths from 128 bits to 256 bits.

As with most encryption methods, longer keys mean more security at the cost of some level of performance. Because the performance hit is minimal, the limiting factor is often devices that do not support the higher security levels. If that is the case for you, consider changing those devices or upgrading drivers.

To replace the TKIP integrity checks, WPA2 introduced Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) as the integrity-checking mechanism. Technically, CCMP performs all encryption and integrity checking, but I have broken it out here as the encryption mechanism for AES.

Although AES encryption is mandatory for WPA2, some WPA implementations allow it to be used as the encryption mechanism as well. You also sometimes see WPA2 with TKIP as an option; however, this does not replace AES for encryption but rather replaces CCMP as the integrity-checking mechanism. AES is then left as the encryption mechanism (as it is a mandatory component of WPA2). Regardless of the options you may be presented, always use the highest security possible on your network and replace devices that lower it.

If you care about your data on your network, always use encryption. If you are going to use encryption, always use the strongest encryption method that is available to you. If choosing WPA2 is not an option because of network devices not offering WPA2 support, consider replacing those devices if you consider your data more important than the functionality you get from the device.

Filtering the MAC address

When attempting to secure a wireless network, in addition to encryption and authentication of WEP and WPA, you can also keep users from connecting to your WLAN if they do not have a registered or authorized MAC address associated with their network card. In addition to adding a list of authorized MAC addresses to the individual APs that make up your wireless network, you can centrally maintain a list of authorized MAC addresses via a RADIUS server.

Because many operating systems allow you to locally set your MAC address on your network card, this security is only light security — like WEP. If an intruder knows a valid MAC address on your network, either by social engineering or by capturing wireless network frames, he can use that to gain access to your network by manipulating his own MAC address. You will see a noticeable issue only if the real computer is on the network at the same time.

I still know many home users who go through the extra work of authorizing MAC addresses on their wireless network even after I suggest eliminating that practice and instead using the more secure and easier to administer WPA2. Some of these home users have not even implemented simple encryption like WEP and rely solely on the ability to block unauthorized MAC addresses on their network. You may think this is even worse, as I sometimes have the conversation with IT staff in corporate environments as well.

Hiding the service set identifier (SSID)

Each WLAN AP sends regular broadcasts that include the name of the network, or SSID. Knowing the SSID of a network allows you to connect to the network. Most APs allow you to disable the broadcasting of the SSID, which prevents people from knowing your network name and makes it difficult for them to connect to your network. Tools, such as Network Stumbler or MetaGeek’s inSSIDer (see Figure 3-2), monitor RF WLAN signals and can easily identify whether WLAN networks exist in your area. Other tools, such as Aircrack, can help you identify the SSID and even locate their WEP encryption keys. inSSIDer in Figure 3-2 shows a Cisco Systems access point with a hidden SSID, as opposed to the ones I hid in the image.

As with MAC address filtering, disabling the SSID broadcast does not provide you with strong security; it only keeps the casual passerby from connecting to your WLAN. If they really want in, they likely already have the tools they need readily available.

Intrusion detection and prevention

An intrusion detection system (IDS) and an intrusion prevention system (IPS) monitor network traffic to and from the IDS or IPS systems to locate devices that attempt to infiltrate your network. When people attempt to gather information about your network, they run tools that leave a signature on your network or they send specific types of traffic to devices on your network. Having devices online for intrusion detection and prevention allows you to see who is scanning so that you can locate and block them.

When the IDS reacts to the intrusion and attempts to block the attempt automatically, the system is usually referred to as an IPS. The IDS detects only intrusion attempts, so think of it as an alarm, whereas IPS is an alarm and a security guard.

Most network providers, such as Cisco, have a full range of IDSs and IPSs that run either on a network gateway or inside the network, like the standalone appliance — Cisco IPS 4200 Series Sensor. These systems range in price based on the features they offer and how they integrate into the network. Cisco’s products in this category are all IPS systems, and you can locate information about them through www.cisco.com by clicking the Security link and then clicking the IPS link.

Isolating users with VLANs

I discuss virtual local area networks (VLANs) in Book III, Chapter 5, but here I tell you even more about the wonders of this separation technology. You can implement VLANs in several ways when working with your wireless LAN (see Figure 3-3). VLANs allow you to

• Separate different types of traffic based on the SSID to which they connect.

• Provide isolation between more secure and less secure clients when required to support clients that do not support the maximum security settings of the WLAN. A less secure SSID can be used only for the lower security clients; ACLs can then be used on the routers and firewalls to control their access.

• Provide guest Internet access out of your office while keeping these clients from accessing internal resources. These clients may get their access through a separate interface on your firewall, a separate firewall, or a secondary Internet service provider (ISP) connection rather than your main connection.

• Provide access to the management interfaces on network devices. Because most network devices allow for management to be conducted over a separate VLAN, thereby keep this traffic away from less secured VLANs.

If you follow the flow from the wireless clients at the bottom of Figure 3-3 to the Internet connections at the top, you can see that

• Each wireless computer has a connection to a different SSID.

• All SSIDs are hosted on the same LWAPP, but each SSID is associated with a different VLAN because the traffic on VLANs can be passed to the controller using a network connection.

• Traffic is passed in separate VLANs to the controller. The controller takes care of functions, such as decrypting WPA2 data and passing the data frames onto the wired network.

• Still on separate VLANs and using a single network connection, the traffic is passed onto a switch where VLAN traffic is separated into virtual networks, each with their own servers and network resources.

• All three of these virtual networks get their outside access through an ASA firewall, which can split the traffic from different VLANs through dual connections to two ISPs. This is done for load balancing for fault tolerant services.

Securing the Management Interface

The management interface on APs is just as important, or even more important, than other networking devices that are secured behind locked doors. In this section, I introduce you to several things you can do to secure these interfaces.

Changing default passwords

All network devices — switches, routers, WLAN controllers, or access points — ship with a default system configuration that includes IP address configuration, SSID, users, and an administration password. Because this information is documented in the devices owner’s manual and on the manufacturer’s Web site, change these items prior to deploying these devices on your network; otherwise, unknown people can change your device configurations. Chapter 4 of this minibook takes you through the process of setting up a Cisco WLC, and during that process, you see how to change these required settings.

Years ago, default passwords were not a major concern. Many APs were deployed with default SSIDs, allowing the manufacturer of that AP to be identified and the default username and password to be known. However, this led to security breaches for those networks. Most manufacturers now promote that security is important and, in some cases, require all configurations to be manually set up before the AP or network devices can be used.

Some professionals deploy access points in areas where there is already a high concentration of wireless networks, and then connect to neighboring devices and configure them to cause less interference for the devices they deploy. How do they do this? Well, to put it simply the other devices are deployed with no WEP and have the default username and password. Although I do not agree with this behavior, if the other company has not taken basic steps to secure its network, the company is open to this behavior.

Even if you deploy WPA2 for your users, if you have not changed the default password for your devices, nothing stops your own users from connecting to your access point or WLC. After you connect to your wireless devices, your users may add a new SSID to your network; allow their unauthorized handheld devices onto the network; or reset the wireless device back to factory default settings. The actions of these users could be accidental or malicious, and thus, either disruptive or detrimental to the network operation and security.

Getting even more secure with SSH, SSL, TLS, HTTPS

Secure Shell (SSH), Secure Sockets Layer (SSL), Transport Layer Security (TLS), and HyperText Transfer Protocol over SSL/TLS (HTTPS) represent technologies that can be used to secure communication between a client and a server. Each has proven itself as a method of securing wired or wireless data and keeping it safe. When using wireless networking, use the following:

• Secure Shell: SSH is the secure replacement for Telnet. Unlike Telnet, which transmits its data in clear text over the network, SSH encrypts all data that it sends between clients and servers. SSH also allows you to authenticate with either a username and password, or by using certificate-based authentication. SSH has become the de facto standard when communicating with UNIX/Linux servers and network devices, such as routers and switches. In the WLC/AP environment, SSH can be used as a secure way to reach the management command-line interface for these devices. Always use SSH over Telnet for this type of access.

• Secure Sockets Layer: SSL was developed by Netscape and was established as a standard for HTTP traffic encryption. SSL has since been enhanced and replaced by TLS.

• Transport Layer Security: TLS is the standard method of encrypting client/server data that starts with a key exchange, authentication, and the implementation of standard ciphers. Many IP-based protocols, such as HTTP (HTTPS), Simple Mail Transfer Protocol (SMTP), Post Office Protocol version 3 (POP3), File Transfer Protocol (FTP), and Network News Transfer Protocol (NNTP), support TLS to encrypt data.

Because most major protocols support TLS, when using these protocols over wireless, use TLS if the server supports it. In many cases, the terms SSL and TLS are used interchangeably even if the technology in use is usually the newer TLS.

• HyperText Transfer Protocol over SSL/TLS (HTTPS): As the name suggests, HTTPS implements standard HTTP but encrypts all the data transfers with client devices. This is why your online banking websites all require you to use HTTPS when dealing with them. Your WLC and APs allow you to make configuration changes from your favorite web browser. Often by default, they have HTTP access enabled out of the box. Although HTTP access is available, when unencrypted, it allows for people with tools, such as Wireshark (a network packet capture tool introduced in Book I, Chapter 4), to capture your user credentials that you use to manage your WLC and APs. This is a serious security breach that is solved by enabling HTTPS. Most devices on the market that support HTTP access for management also support HTTPS access, and typically it is enabled with a simple click in a check box of the management web page.

Management access

When dealing with a residential-grade access point, you usually have only one networking interface and this interface is used for data access and management. When dealing with commercial- or enterprise-grade access points, they usually can support VLANs on the AP. Supporting VLANs at the AP allows you to support several service set identifiers over a single AP, which are then assigned to separate VLANs to isolate the traffic for each SSID. I discuss this earlier in this chapter in the “Isolating users with VLANs” section.

With VLAN support in your WLC and AP, you can assign the management network interface to a separate VLAN. If the management interface is on a separate VLAN, security can be assigned at routers or firewalls to restrict which network devices can connect to the management interface. Some wireless devices can also be set to prevent management access through their wireless interfaces so that a user on the wireless network cannot manage that AP.

Isolating the entire WLAN

Many companies operate a virtual private network (VPN) to allow their users to securely gain access to network resources when operating their mobile computers on a remote and unsecured network. This allows the IT department to isolate the remote computers from the unsecured network that they are on and to connect the remote computer to the corporate network.

With this same mentality, the IT department can operate its wireless network entirely outside of the corporate network, which lessens concerns about unknown wireless users accessing corporate information because the wireless network does not touch the corporate network. For a user to access corporate data, he would establish a VPN connection back to the corporate office through the wireless network. In this case, it is no different than if he was in a coffee shop using his unsecured wireless network. After the VPN connection is established, all network information from the mobile computer is encrypted and secured until it arrives back on the corporate network.

In this isolated WLAN scenario, security of the wireless signal is not as important because all corporate information is secured with the VPN connection. Therefore, if you have no encryption through to WPA2 on the wireless network, it is not a big deal, but I still recommend using the highest level of encryption because it never hurts to be too secure. If an unauthorized user gains access to the wireless network, she is very limited to the information she can do on that network. She can only access what is on the wireless network, which are other wireless clients and the firewall.

When corporate users are on the wireless network, they can either access the Internet or use their VPN solution to make a connection (via a VPN tunnel) back to their corporate network in a secure manner, as shown in Figure 3-4. This is not an uncommon scenario and is one that my company has implanted. So if I am at home, at a coffee shop, or on wireless in my own office and I want to access corporate resources, I just launch my VPN client and connect. Because of the mobility wireless gives me, even when I am at my desk in my office, I tend to connect wirelessly rather than through the available wired connection.