| The need for wireless policy has never been greater. 802.11/a/b/g wireless networks (WLANs) [1] have taken the Information Technology world by storm. With 35 million units expected to sell in 2003 and with a predicted growth rate of 50-200% compounded year over year through 2006, wireless is here to stay. The benefits of wireless connectivity in the business world are immense; they come in the form of flexibility, convenience, portability, increased productivity, relatively low cost, and ease of implementation. These benefits are not without an expense, though. The same aspects that make wireless so desirable in terms of usability and productivity can also become an Achilles heel if the proper security measures are not addressed throughout the network's life-cycle.
This is the first of a two-part series that will help create a framework for the most important aspect of any wireless security strategy -- policy development. With a solid policy and active enforcement, a WLAN will not only be useable, it will operate with limited risk and most importantly, it will be secure.
802.11 Threats and the Subsequent Need For Policy
The potential threats to WLANs are numerous. Denial of Service (DoS), session hijacking, and sniffing are just a small sample of the potential attacks. While many of the attacks against wireless networks are similar to those against wired networks, 802.11 networks are generally subject to more threats.
One of the more serious problems is Wired Equivalent Privacy (WEP), the data encryption standard for wireless networks. WEP has been found to have weaknesses [2] and can be "cracked" in as little as a couple of hours.
Another problem is related to the open nature of WLANs. Due to the propagation characteristics of wireless networks, there is limited control of where a signal is accessible. This leads to a situation where, unlike wired networks, a hacker can manipulate or eavesdrop on the network from uncontrolled locations or geographical areas which were not intended to be served when the network was implemented.
WLANs can also create backdoors to wired networks. Many organizations spend thousands or millions of dollars on wired network security with extensive investments in firewalls, VPNs, and other security-enhancing technologies. A single unauthorized (rogue) wireless access point (WAP) connected to a wired network has the potential to create a backdoor to the wired network, circumventing the wired network security and thereby allowing a hacker to effortlessly gain access to a closed network. A wireless policy can help combat these threats. Fortunately, it is never too late to develop a policy, although an early adoption approach is highly effective.
Early Adoption
Policy development should begin in the conceptual stages of a wireless network initiative. The benefits of realizing and addressing the need for security at an early stage in the development process are immense: lower cost, easier implementation, and security from the onset of implementation. To add security after an implementation, new equipment may need to be purchased, the network may need to be logically or physically redesigned or worse -- the network may have been exploited during the period of weak security. If the network has been in operation without security, a policy will still provide numerous benefits, although the benefits will come at a higher cost than if the network had been implemented with security from the onset.
Benefits of a Wireless Policy
A wireless policy will not eliminate the threats to 802.11 networks. But it will help create a proactive environment where the tools, methods, and procedures are in place to deter attackers and combat the threats effectively. A policy establishes a security model for the existing or the soon-to-be-developed network. A good policy creates a set of rules and standards for users, administrators, and managers to follow. The policy can bolster awareness of security and proper usage techniques. It will guide all future wireless implementations, ensuring that expansion efforts are uniform and compatible with existing 802.11 implementation(s). Policy allows network manageability, appoints enforcement authority, and facilitates accountability.
The Essential Components of a Wireless Policy
A security-conscious mindset is the cornerstone to any successful wireless policy. By viewing security as an integral part of the network, a manager can properly integrate security with functionality from the onset. A proactive security approach will greatly improve the security posture of the entire network.
Wireless policy can provide guidance on a wide variety of issues specific to the organization, but there are several issues that should be considered with most wireless network policies:
Note: The following list of policy considerations can be used for both open [3] and closed [4] wireless networks, although some of these considerations will not be applicable to an open wireless network.
Delegation of Authority and Responsibility
The policy should appoint an authority figure who has responsibility and authority of the wireless network. Appointing an authority figure will provide direction, leadership, and accountability for the wireless network(s) through development, implementation and ultimately, operation. This "security manager" will be in charge of all network security functions and will have the authority to appoint other individuals and/or create teams if necessary. This person will also have the ultimate responsibility of ensuring the proper security measures for the network have been deployed, and subsequently, will be the official with the utmost accountability.
It is important to delegate the authority of the wireless network to someone who is also responsible for the network. If the individual is not given a stake in operation of the wireless network, the individual will be less likely to take the measures necessary to ensure the proper functioning of the network. It is also beneficial if the individual appointed is someone who has experience and understands the issues inherent with a wireless network.
Risk Assessment
The policy should require a risk assessment. A risk assessment will determine the threats and vulnerabilities of the organization in relation to WLAN operation. Understanding risks will help protect against unforeseen threats, delays, and costs, as well as allow an adequate number of security features to be implemented. The security manager (the individual who has been delegated authority and responsibility for the wireless network) should employ security measures in conjunction with the risks associated with the 802.11 network. For example, if the network is only used for casual web surfing, the risk of loss in the event of an attack may be minimal. If, though, the network is used for transmission of business sensitive material, classified communications, or supports critical services, the risk of loss in the event of an attack or loss of service may be extensive. A risk assessment needs to be conducted to ensure the scope of the security measures will be adequate for the risks associated with the network. A risk assessment can be scoped to identify data sensitivity, network vulnerabilities, critical services, and personnel deficiencies, among many others. The focus should be to identify potential threats and vulnerabilities in the event that a wireless network is implemented. In some cases, the threats to a wireless network may outweigh the benefits of the technology, in which case the network should not be allowed.
In the event that a WLAN is implemented, the security policy should be developed in concert with the total risk to the network.
Threats and vulnerabilities are ever-changing so risk assessments should be conducted on a regular basis to provide an accurate picture of the total risk to the organization. The policy should therefore define the frequency of risk assessments.
Network Segregation
Policy should require separate and distinct wireless and wired networks so that a security breach on a wireless segment will not as easily affect the wired network(s). Network segregation provides a way to separate the "untrusted" WLAN(s) from the more "trusted" (and usually wired) portions. WLANs usually connect to a wired network at some point to facilitate Internet or Intranet communications, and the convergence of these networks should be separated by a gateway so that wireless communications are not required to traverse the wired network unless necessary. In addition, a filtering device (like a firewall) can be placed between the wired and wireless networks to control and monitor the traffic between the wired and wireless segments. The device will aid in the separation of the networks as well as provide a layer of protection for the networks.
Figure 1: Example of a segregated wireless networkAuthentication
Authentication is essential to the secure operation of an 802.11 network and should be included in the wireless policy. All users of WLANs should be required to authenticate before being allowed to access the network. Authentication provides a means to limit access to a closed resource. There are a number of issues the wireless policy should address in relation to authentication.
Policy should address the authentication standard, method, implementation, and maintenance requirements. First and foremost, policy for wireless network authentication should follow the latest standard. It is highly advisable to follow the standards when selecting an authentication solution (more explanation of the standard in the next section). Conforming to standards is beneficial because it alleviates the risk of implementing a proprietary technology and subsequently committing to a specific vendor.
Secondly, a form of mutual authentication should be defined in the policy (the authentication standard may define this already). With mutual authentication, both the client and the server are authenticated to each other. Mutual authentication primarily adds security by establishing the authenticity of the server, but this method of authentication also enhances security in other ways, such as reducing the ease of rogue network proliferation. Another factor to consider with authentication policy should be ease of implementation and administration. Some forms of authentication, such as Public Key Infrastructure (PKI) [5] solutions, may be secure, but incur extensive implementation and administration overhead.
The policy can also indicate the strength of the authentication, as well as provide guidance as to whom, when and for what resources authentication is required. The policy may define the user and group access levels, how access will be managed, and any necessary implementation specifics.
Confidentiality
A means to assure confidential wireless communications should be defined in the policy. Encryption can provide a secure communication channel for which wireless transmissions can occur without the threat of eavesdropping. Without encryption, it is trivial for a hacker to gather sensitive information transmitted to and from a wireless network. Wireless network signals offer hackers the ability to stealthily gather wireless data in an anonymous manner. A number of issues should be considered when including confidentiality into the policy.
Policy should define a reasonable encryption method so that wireless communications can be transmitted with confidentiality. The basic encryption method employed with 802.11 communications is Wired Equivalent Privacy (WEP). Unfortunately, the WEP algorithm can be decrypted and rendered useless. Nevertheless, WEP offers some protection and should therefore be defined in the policy if no other encryption is possible. To combat the insecurities of WEP, other encryption options are currently available and should be used instead, if possible.
The IEEE 802.11i standards group is currently developing the standard for 802.11 security. The standard is expected to standardize the use of Temporal Key Integrity Protocol (TKIP) as an alternative to WEP. Furthermore, the 802.11i standard will offer Advanced Encryption Standard (AES) as the encryption algorithm of choice. However, at the time of this writing 802.11i is not yet published and security will be needed on the wireless network in the midterm. The WiFi Protected Access (WPA) is a subset of the IEEE 802.11i draft standard and is designed to be forward-compatible with 802.11i when it is finally published. WPA should be followed because conformance to this standard will allow a (hopefully) relatively seamless transition when 802.11i is published. If following WPA or 802.11i is not an option, there are also many other solutions including a Virtual Private Network (VPN). Even the use of the weak WEP encryption will help improve security -- although modestly. While the lack of published standards is deterring, encryption must be included in the policy.
The policy should address the encryption strength, method, implementation, maintenance (such as key rotation), and frequency of use. The strength of the encryption should be chosen based on the sensitivity of data that will be traversing the network -- the more sensitive the data, the higher the encryption factor. The method defines the encryption to be used and the implementation should describe how the encryption will be deployed. The frequency of use should define when the encryption must be used. For example, if a user is dealing with sensitive data, encryption should be mandatory; other situations should be evaluated accordingly.
Availability
To ensure maximum network uptime, wireless availability tests should be defined in the policy both in terms of operation and frequency of execution. Availability of WLANs is essential because productivity is a function of downtime. Wireless availability tests should be conducted before deployment and during 802.11 network operation to ensure adequate signal coverage and an environment that is free of conflicting RF transmissions.
802.11 networks are fraught with Radio Frequency (RF) conflicts and impeders. If availability tests are not defined in the policy and executed in a timely manner, the network may suffer from poor signals in the long-term. One of the problems is that many natural and physical objects cause RF signal degradation, such as trees, rain, earth, buildings, etc. To add to the transmission issues, common devices such as cordless phones, baby monitors, Bluetooth, and microwave ovens transmit on the same frequency as 802.11b/g networks. 802.11a networks operate on currently less trafficked bands, but are still susceptible to interference from newer cordless phones, etc. RF conflicts and/or spotty signal coverage can cause wireless networks to be denied service.
Many tools exist to aid in wireless availability tests. Topology software can be used to identify any naturally occurring obstructions such as hills, valleys, etc which would potentially limit transmissions. Topology tools can work well to identify potential issues before wireless deployment. If topology tools are used, they should be specifically referenced in the policy.
Figure 2: Example of the results of a wireless availability test. This image depicts a wireless signal propagating beyond the building it is indented to serve and onto public streets.
Wireless availability tools will identify locations with weak 802.11 signal strength. 802.11 client software (such as the Cisco Aironet Client Adapter software), can be used to adequately assess signal strength throughout a wireless coverage area. A relatively simple method to conduct availability tests is to walk or drive throughout a wireless coverage area with wireless client software, while noting areas of weak signal strength. Like topology tools, the availability testing tools should be specifically defined in the policy.
The policy should force the execution of wireless availability tests, indicate the specific testing tools, provide a reasonable frequency for which the tests are to be conducted, and define a time-frame for test completion. While wireless networks will undoubtedly encounter interference from time to time, defining availability tests and tools in the policy and the subsequent execution of these tests will help reduce signal loss and improve availability.
NOTE: Due to the wide array of devices operating at the same frequencies and the subsequent ease of denying service, wireless networks should not be used for mission critical applications or services unless absolutely necessary.
Concluding Part One
The upcoming second and final article in this series will continue the discussion of essential components in a wireless policy, including logging, WAP physical security, client-based security, wireless scanning, education and awareness, and other considerations. Together, these two articles on 802.11 wireless policy development will help create a WLAN framework -- one that is not only useable but operates with limited risk and in the most secure manner possible.
|