Deploying of Corporate Wireless Network
In terms of cost effectiveness and convenience, wireless networks have gained in popularity among organisations. But new security risks come with the benefits of adopting wireless networks in an organisation. To tackle these risks effectively, various security best practices need to be considered throughout the entire deployment lifecycle. To help organisations understand at what point in their wireless network deployments a recommended security best practice might be relevant, we outline here a five-phase lifecycle model for network deployment and point out security issues that need special attention.
Initialisation Phase
Determine the Business and Functional Requirements for the Use of the Wireless Network
Before designing the wireless network, it is important to understand the business and functional requirements of the wireless solution. These requirements may affect decisions on what kind of security measures should be deployed to protect the network. For example, if guest access will be required, security best practices for guest access should be considered in the design stage.
Define a Wireless Security Policy
The organisation should develop a strong wireless security policy to address all the usage options of wireless networks and the types of information that can be transmitted. The policy should outline a framework for the development of installation, protection, management and usage procedures. Security and operation guidelines, standards and personnel roles should also be clearly defined.
Design/Procurement Phase
Keep Track of Wi-Fi Development Standards
Since the 802.11 standard was first introduced, enhancements have continuously been made to strengthen data rates, signal range, and security of wireless networks. Therefore, it is a good idea to keep track of the development of new standards as they appear, in particular when procuring new equipment or acquiring new wireless network services. In any new purchase, protection by one of the stronger wireless security protocols such as WPA2 or WPA3 should be considered, but by no means should such wireless security protocols be solely relied upon to protect data confidentiality and integrity, as new weaknesses in protocols may be discovered in the future.
Since the 802.11 standard was first introduced, enhancements have continuously been made to strengthen data rates, signal range, and security of wireless networks. Therefore, it is a good idea to keep track of the development of new standards as they appear, in particular when procuring new equipment or acquiring new wireless network services. In any new purchase, protection by one of the stronger wireless security protocols such as WPA2 or WPA3 should be considered, but by no means should such wireless security protocols be solely relied upon to protect data confidentiality and integrity, as new weaknesses in protocols may be discovered in the future.
Perform Security Risk Assessments and Audits to Identify Security Vulnerabilities
Security assessments and audits are essential means for checking the security status of a wireless network and identifying any corrective action necessary to maintain an acceptable level of security. These assessments can help identify loopholes in the wireless network, such as poorly configured access points using default or easily guessed passwords and SNMP community strings, or the presence or absence of encryption. However, a security risk assessment can only give a snapshot of the risks to information systems at a given time. As a result, it is important to perform assessments and audits regularly once the wireless network is up and running.
Security assessments and audits are essential means for checking the security status of a wireless network and identifying any corrective action necessary to maintain an acceptable level of security. These assessments can help identify loopholes in the wireless network, such as poorly configured access points using default or easily guessed passwords and SNMP community strings, or the presence or absence of encryption. However, a security risk assessment can only give a snapshot of the risks to information systems at a given time. As a result, it is important to perform assessments and audits regularly once the wireless network is up and running.
Perform Site Surveys
Due to the nature of radio frequency (RF) propagation, radio signal emissions cannot generally be contained within a particular building or location. Excessive coverage by the wireless signal could pose significant threat to the organisation, opening it to parking lot attacks on the network. Therefore, it is necessary to have a good understanding of the coverage requirements for the desired wireless network during the network-planning phase. By performing a site survey, one can identify:
Due to the nature of radio frequency (RF) propagation, radio signal emissions cannot generally be contained within a particular building or location. Excessive coverage by the wireless signal could pose significant threat to the organisation, opening it to parking lot attacks on the network. Therefore, it is necessary to have a good understanding of the coverage requirements for the desired wireless network during the network-planning phase. By performing a site survey, one can identify:
the appropriate technologies to apply;
obstacles to avoid, eliminate, or work around;
coverage patterns to adopt; and
amount of capacity needed.
Apply a Defence-in-Depth Approach
The concept of "defence-in-depth" has been widely employed in the secure design of wired networks. The same concept can also be applied to wireless networks. By implementing multiple layers of security, the risk of intrusion via a wireless network is greatly reduced. If an attacker breaches one measure, additional measures and layers of security remain in place to protect the network.
Separation of wireless and wired network segments, use of strong device and user authentication methods, application of network filtering based on addresses and protocols, and deployment of intrusion detection systems on the wireless and wired networks are all possible measures that can be employed to build multiple layers of defence.
The concept of "defence-in-depth" has been widely employed in the secure design of wired networks. The same concept can also be applied to wireless networks. By implementing multiple layers of security, the risk of intrusion via a wireless network is greatly reduced. If an attacker breaches one measure, additional measures and layers of security remain in place to protect the network.
Separation of wireless and wired network segments, use of strong device and user authentication methods, application of network filtering based on addresses and protocols, and deployment of intrusion detection systems on the wireless and wired networks are all possible measures that can be employed to build multiple layers of defence.
Separate Wireless Networks from Wired Networks
Due to the nature of wireless technology, wireless networks are relatively hard to contain within a building and it is generally considered to be an un-trusted network. As a best practice, wireless networks and wired networks should not be directly connected to each other. It is common to deploy firewalls to separate and control the traffic between different networks. For example, ARP broadcast packets should be blocked from entering a wired network from a wireless network since a malicious user could uncover internal information, such as Ethernet MAC address from these broadcasts.
Due to the nature of wireless technology, wireless networks are relatively hard to contain within a building and it is generally considered to be an un-trusted network. As a best practice, wireless networks and wired networks should not be directly connected to each other. It is common to deploy firewalls to separate and control the traffic between different networks. For example, ARP broadcast packets should be blocked from entering a wired network from a wireless network since a malicious user could uncover internal information, such as Ethernet MAC address from these broadcasts.
Segment the Access Point's Coverage Areas
Due to the limited transmission capacity of a wireless network, a malicious attacker can easily launch a Denial-of-Service (DoS) attack to bring down the network. Segmenting access point coverage areas can balance the loads on a wireless network and minimise any impact from DoS attacks.
Due to the limited transmission capacity of a wireless network, a malicious attacker can easily launch a Denial-of-Service (DoS) attack to bring down the network. Segmenting access point coverage areas can balance the loads on a wireless network and minimise any impact from DoS attacks.
Implementation Phase
Implement Strong Physical Security Controls
The loss or theft of network equipment may pose a significant threat to a wireless network because configuration of the network can be retrieved from a lost access point or wireless interface card. By securely mounting network equipment, such as access points, in less accessible locations together with strong physical security controls, the risk of theft can be minimised.
The loss or theft of network equipment may pose a significant threat to a wireless network because configuration of the network can be retrieved from a lost access point or wireless interface card. By securely mounting network equipment, such as access points, in less accessible locations together with strong physical security controls, the risk of theft can be minimised.
Avoid Excessive Coverage of Wireless Networks
Using the information collected during the site survey, proper placement of access points can be designed to avoid excessive coverage by the wireless network and hence limit the possibility of intrusion. In addition to proper placement of the access points, adjusting the radio frequency (RF) power transmission or using directional antennas can also control the propagation of the RF signal and hence control coverage of a wireless network.
Using the information collected during the site survey, proper placement of access points can be designed to avoid excessive coverage by the wireless network and hence limit the possibility of intrusion. In addition to proper placement of the access points, adjusting the radio frequency (RF) power transmission or using directional antennas can also control the propagation of the RF signal and hence control coverage of a wireless network.
Secure Access Points
Access points are the core of a wireless network. Their security clearly has an overall effect on the security of the wireless network. Properly securing access points is the first step in protecting a wireless network. The following suggestions can help in hardening access points:
Access points are the core of a wireless network. Their security clearly has an overall effect on the security of the wireless network. Properly securing access points is the first step in protecting a wireless network. The following suggestions can help in hardening access points:
Change the default configuration settings;
Change encryption keys regularly;
Ensure that all access points have strong, unique administrative passwords and change the passwords regularly;
Disable all insecure and unused management protocols on access points and configure the remaining management protocols for least privilege;
Activate logging features and direct all log entries to a remote logging server;
Enable wireless threshold parameters, such as inactivity timeouts and maximum supported associations.
Use Non-suggestive Service Set Identifier (SSID) Naming Conventions
In a wireless network, an SSID serves as a network name for segmenting networks. A client station must be configured with the correct SSID in order to join a network. The SSID value is broadcast in beacons, probe requests and probe responses. To prevent a malicious attacker from collecting reconnaissance information on a wireless network by eavesdropping, SSIDs should not reflect internal information of the organisation.
In a wireless network, an SSID serves as a network name for segmenting networks. A client station must be configured with the correct SSID in order to join a network. The SSID value is broadcast in beacons, probe requests and probe responses. To prevent a malicious attacker from collecting reconnaissance information on a wireless network by eavesdropping, SSIDs should not reflect internal information of the organisation.
Disable Direct Client-to-Client "Ad-Hoc Mode" Transmissions
In general, a wireless network can be operated using three different topologies; infrastructure mode, ad-hoc mode and bridging mode. When a wireless network operates in ad-hoc mode, client stations are connected directly and no access point is required. Using this mode, a potential attacker can gain access to a client station easily if the client station is improperly configured. Unless there is a specific business need, the ad-hoc mode should be disabled on wireless devices.
In general, a wireless network can be operated using three different topologies; infrastructure mode, ad-hoc mode and bridging mode. When a wireless network operates in ad-hoc mode, client stations are connected directly and no access point is required. Using this mode, a potential attacker can gain access to a client station easily if the client station is improperly configured. Unless there is a specific business need, the ad-hoc mode should be disabled on wireless devices.
Limit Client-to-Client Communication through the Access Point
Most installed wireless networks operate in "infrastructure" mode that requires the use of one or more access points. With this configuration, all traffic in the wireless network travels through the access points. By controlling the communication among client stations at the access points, malicious users can be prevented from gaining access to vulnerable client stations.
Most installed wireless networks operate in "infrastructure" mode that requires the use of one or more access points. With this configuration, all traffic in the wireless network travels through the access points. By controlling the communication among client stations at the access points, malicious users can be prevented from gaining access to vulnerable client stations.
Keep Security Patches Up-to-date
Newly discovered security vulnerabilities in vendor products should be patched to prevent inadvertent and malicious exploits. Patches should also be tested before deployment so as to ensure they work correctly.
Newly discovered security vulnerabilities in vendor products should be patched to prevent inadvertent and malicious exploits. Patches should also be tested before deployment so as to ensure they work correctly.
Employ MAC Address Filtering on Access Points
MAC address filtering can be considered the first layer of defence for wireless networks. With MAC address filtering enabled, only devices with pre-approved MAC addresses can see the network and be granted access to the network. However, such access control should by no means be solely relied upon to protect data confidentiality and integrity, as tools are available on the Internet for modifying the MAC address of a client. Besides, MAC address filtering mechanisms may not be feasible in some scenarios such as the implementation of public wireless hotspots.
MAC address filtering can be considered the first layer of defence for wireless networks. With MAC address filtering enabled, only devices with pre-approved MAC addresses can see the network and be granted access to the network. However, such access control should by no means be solely relied upon to protect data confidentiality and integrity, as tools are available on the Internet for modifying the MAC address of a client. Besides, MAC address filtering mechanisms may not be feasible in some scenarios such as the implementation of public wireless hotspots.
Deploy Wireless intrusion detection systems
Deploying wireless intrusion detection systems on the network can help detect and respond to malicious activities in a timely manner. More recently, a number of wireless intrusion detection systems have been equipped with capabilities to detect and prevent rogue access points.
Deploying wireless intrusion detection systems on the network can help detect and respond to malicious activities in a timely manner. More recently, a number of wireless intrusion detection systems have been equipped with capabilities to detect and prevent rogue access points.
Operations And Maintenance Phase
Educate Users about the Risks of Wireless Technology
User awareness is always a critical success factor in effective information security. A good policy is not enough. It is also important to educate all users in following the policy. Best practices or security guidelines should be developed that end users understand and adhere to.
User awareness is always a critical success factor in effective information security. A good policy is not enough. It is also important to educate all users in following the policy. Best practices or security guidelines should be developed that end users understand and adhere to.
Keep an Accurate Inventory of All Wireless Devices
An accurate inventory of all authorised wireless devices helps identify rogue access points during security audits. This inventory will also be helpful for a variety of support tasks.
An accurate inventory of all authorised wireless devices helps identify rogue access points during security audits. This inventory will also be helpful for a variety of support tasks.
Publish a Coverage Map of the Wireless Network
Network administrators should develop a coverage map of the wireless network, including locations of respective access points and SSID information. This map is a valuable asset for troubleshooting, or handling a security incident.
Network administrators should develop a coverage map of the wireless network, including locations of respective access points and SSID information. This map is a valuable asset for troubleshooting, or handling a security incident.
Develop Security Configuration Standards for Access Point
To simplify daily operations and ensure all access points are protected with appropriate measures, it is recommended a baseline security configuration standard for access points be developed. It is not uncommon to see security settings restored to their default factory settings after an access point is reset, which usually occurs when the access point experiences an operational failure. If a baseline security configuration standard is available, appropriate personnel can simply follow the standard settings to re-configure the access point.
To simplify daily operations and ensure all access points are protected with appropriate measures, it is recommended a baseline security configuration standard for access points be developed. It is not uncommon to see security settings restored to their default factory settings after an access point is reset, which usually occurs when the access point experiences an operational failure. If a baseline security configuration standard is available, appropriate personnel can simply follow the standard settings to re-configure the access point.
Review Audit Logs Regularly
Regular checking of log records must be performed, to ensure the completeness and integrity of all logs. Any irregularities spotted must be reported and a detailed investigation should be carried out if necessary.
Regular checking of log records must be performed, to ensure the completeness and integrity of all logs. Any irregularities spotted must be reported and a detailed investigation should be carried out if necessary.
Develop Incident Response Procedures
It is recommended that administrators develop a set of in-house procedures for incident response, and update these procedures from time to time to address new potential security threats.
It is recommended that administrators develop a set of in-house procedures for incident response, and update these procedures from time to time to address new potential security threats.
Disposition Phase
Remove All Sensitive Configuration Information before Disposal
When disposing of wireless components, it is important to erase all sensitive configuration information, such as pre-shared keys and passwords, on the devices that are being disposed of. Malicious users might make use of the configuration information to conduct subsequent attacks on the network. Manual removal of configuration settings through the management interface is a must prior to disposal. Organisations may also consider degaussing devices whenever feasible. Secure deletion utilities can also be used if devices have storage disks.
When disposing of wireless components, it is important to erase all sensitive configuration information, such as pre-shared keys and passwords, on the devices that are being disposed of. Malicious users might make use of the configuration information to conduct subsequent attacks on the network. Manual removal of configuration settings through the management interface is a must prior to disposal. Organisations may also consider degaussing devices whenever feasible. Secure deletion utilities can also be used if devices have storage disks.
Related topic(s):