10:57 AM
Wireless Security: Enough Talk, Here's What You Can Do
In an old Tide laundry detergent commercial, a customer walks into a Chinese-owned laundromat and asks how the proprietor gets the shirts so clean. The proprietor says, "Ancient Chinese secret." Then the camera pans to the back and shows Tide being used in a regular washer.
Wireless LAN (WLAN) security is like that. The limited solutions now available keep wireless LAN security simple.
Unfortunately, most financial institutions that are deploying WLANs are not even thinking about these simple security enhancements and measures.
The good news is that WLAN security is not an impossible problem to solve, but you do have to think about it. Given the current state of the technology, heterogeneous environments will be significantly harder to secure than homogeneous ones.
While there is no substitute for practical experience with a new technology, it's possible to avoid some of the most common mistakes. Given the current state of the technology, heterogeneous environments will be significantly harder to secure than homogeneous ones. From a practical standpoint, this may be the most important piece of knowledge.
One of the fundamental problems with many wireless deployments is caused not by technology, but by lack of planning. People seem to forget that radio frequencies (RF) travel through air, and that wireless is just RF. The nice clean boundaries that exist in the wired environment (i.e., the cables hold the signal) don't exist in wireless. In wireless, it requires analysis to figure out your network boundary.
People need to think about where the signals from their WLAN propagate and take appropriate actions to protect the signals with shielding and proper antennas.
The following are some practical things that can be done to make your environment more secure.
Perform a site survey to determine the actual extent of your current WLAN deployment. This will also allow you to see if there are rogue Access Points on your network and if so, how they are configured. Perform periodic assessments after that.
You can also treat your WLAN as an insecure MAC layer, over which you run secure IP protocols. Make it an extranet.
Change the SSID (a.k.a. network name) from the default value. Disable broadcast of the SSID (i.e., use a closed network). Change the default management passwords on your Access Point. This would be applicable for Telnet, HTTP, and SNMP.
If you cannot deploy ESN (the proposed security enhancements for 802.11) or a vendor variant, and you have sensitive data on the systems or network, deploy complementary security mechanisms such as personal firewalls and VPNs on the clients.
Configuration and management actions to consider:
Use ESN or a vendor version of this functionality if your equipment supports it. Use a management subnet or VLAN because management traffic is sent in the clear.
Use a Serial connection (where possible) to manage the Access Points and not the Telnet, SNMP or HTTP interfaces.
Use static addresses where possible, rather than DHCP because the attacker does not automatically get an IP address if he can associate with an Access Point.
Enable WEP. This can be effective against the casual snooper and script kiddy type attackers.
Determine the best antenna for your installation:
Use omnidirectional antennas when single floor coverage is desired, and place the antenna in the center of the space. Bi-quad are omnidirectional antennas that have smaller vertical radiation patterns than the standard dipole antennas that come on most Access Points.
Directional antennas are good when you want to be purposeful about the direction of the RF signal (i.e., you know where your clients will be). They can be used in large spaces where you can direct the signal towards the center of the space and minimize leakage outside the building or campus.
Use shielding wherever practical to limit RF leakage outside the building.
In the banking industry, wireless LAN technology is being adopted at a rapid rate. In many cases, individual departments are deploying it with no oversight from an IT department and no involvement of security professionals.
Because of the sensitivity of the information for financial institutions, the lack of security of typical wireless deployments is unacceptable.
While each of these recommendations only improves security a little, the cumulative effect of implementing all of them is significant. The banking industry should consider the use of ESN an industry best practice.
Philip Cox is a consultant with SystemExperts Corp., Sudbury, Mass., a provider of network security consulting services for leading financial institutions.