Securing the WLAN

Martin Courtney asks how IT departments handle security and user access management on wireless networks

Mobile computing has truly come of age in the past couple of years. This is due in part to portable wireless devices combining internet access, email and mobile business applications with voice-calling capabilities having expanded beyond the realm of the road warrior and into the hands of mainstream users.

But with so many iPhones, BlackBerrys, smartphones, tablet PCs and netbooks now being brought into the office instead of – or as well as – laptops, the open opportunity for hackers or an organisation’s own employees to gain unauthorised network and data access through the back door represents a significant challenge for corporate IT departments tasked with making them secure.

And while the IT department may have effectively locked down access to the wired corporate network, dealing with those who access or transmit sensitive business information wirelessly is a very different problem, which needs to be approached in a very different way, say experts.

Research company Vanson Bourne conducted a survey, sponsored by Motorola, of 400 IT directors at companies with more than 1,000 employees based in the UK, France, the Netherlands, Germany, Italy, Spain and the Nordic countries last year. It found that 65 per cent of large European companies used the same security measures for wired and wireless networks.

But whereas a wired network has some element of physical security by virtue of being installed within lockable company premises in most cases, the same is not true for wireless LANs (WLANs) which broadcast signals beyond the natural barriers of walls and doors.

Plus, every wireless user who roams on to other public or private Wi-Fi networks that do not insist on the same level of control runs the risk of introducing potentially damaging malware on to corporate systems once they reconnect when in the office.

Martyn Ruks is a security consultant at MWR Infosecurity. He says the corporate approach to wireless security has changed in recent years, with many organisations eschewing the use of virtual private networks (VPNs), web filtering and content inspection tools in favour of lower-cost security platforms that provide network access without requiring that infrastructure to be put in place.

“That opens up a different series of possible attacks, and the only control you have is from those left on the laptop or smartphone itself, which means potential exploits using web browsers, traffic interception techniques and cookie access,” says Ruks.

VPNs use shared certificates and keys to make sure that information between two computers is only transmitted once the authentication of the user has been established, at which point all traffic transmitted is encrypted.

Deploying IP-Sec-based VPNs is generally held to be more secure, but less flexible, with secure shell (SSH) software at the client and server ends of the link another approach, or secure socket layer (SSL) certificates that authenticate the connection between two sites, then encrypt and decrypt the traffic being transmitted between them.

Another way to set up a VPN is by adding HTTPS extensions available for browsers such as Internet Explorer or Firefox, which redirect users to an SSL-protected site from standard HTTP web pages.

Other than the cost of implementing VPNs and making sure people use them, some organisations are put off because once a hacker has gained access to the secure channel by obtaining user VPN authentication details, they effectively have access to the whole network.

Encryption is the key
Making certain that wireless sessions, whether inside or outside the VPN, are properly encrypted to prevent airborne signals being intercepted – and the data they contain being accessed – is paramount.

“If the [web] traffic is not encrypted, they [hackers] can potentially see what web sites you are visiting, which means you might be giving away commercially sensitive information that others can obtain,” says Ruks.

“Imagine a CEO looking at different organisations for merger and acquisition purposes, for example: those are the types of things that can be picked up.”

Different encryption techniques provide different levels of complexity and security, with some being more easy to crack than others. According to the Vanson Bourne survey, 47 per cent of European companies still use either WEP or WPA encryption on wireless access points (APs) and client devices, which are relatively easy to decipher with freely available software tools.

Securing the WLAN

Martin Courtney asks how IT departments handle security and user access management on wireless networks

Standardise on security software and configurations
Another problem for IT managers is the sheer range and diversity of portable devices being used for WLAN access, with many using different operating systems, applications and authentication processes.

In all cases, say experts, it is important to standardise on the security tools and configurations in use, both to simplify deployment and minimise the ongoing management overhead.

“It is a case of installing the latest patches, but also configuring software properly and correctly setting user privilege levels,” says Ruks.

Comprehensive software tools that operate on multiple operating systems and enforce user device and compliance with centralised security policy are available from a range of vendors.

What is needed in many cases is a single security software tool which can be installed on each one to enforce compliance with centralised security policy, which is something already available from Novell, Cisco and Motorola, among others.

Companies with large numbers of staff can also outsource the administrative burden of remote installations, patches and updates, and other tasks can be handled by third parties, often ISPs, telecommunications carriers or mobile operators such as Vodafone.

Identity access management
Many organisations install identity access management (IAM) software to help them enforce WLAN connection policies, most of which usually provide complex features that restrict users to specific content, applications, usage times and areas of the network depending on their authentication credentials.

Most IAM software, such as Avaya’s Identity Engines, can establish VPNs, encrypt all wireless sessions and let IT staff corral different classes or groups of users into different parts of the network according to their access privileges and the level of security implemented on their laptops. Those who do not have the latest software patches installed can be temporarily restricted while the IAM app updates the client OS and apps.

Deployed in isolation, IAM is not the universal panacea to network security. Like VPNs, if a hacker gains access to something such as single sign-on (SSO) credentials which authenticate against user directories such as Microsoft Active Directory (AD), they then have access to every system that the SSO ID authenticates, rather than requiring the five or six different logon credentials that they would have needed previously.

“It is a balancing act as to what each individual organisation actually needs,” says MWR Infosecurity’s Ruks. “The key thing to understand is the ways in which people are going to attack corporate systems. Are they going to attack them because they are not managed correctly, or are they going to do it by identifying the methods being used to gain access.”

But IT managers also recognise that establishing clear security policies and educating users on how to apply them is equally important in preventing breaches, which means continual investment in training is required, as well as hardware and software.

“It is also about how awareness and training is delivered to users,” says Ruks. “It is too easy to provide people with information on what they should and should not do as opposed to a scenario-based approach that looks at the likely decisions they will need to make in certain situations to help them do the right things concerning security during their day-to-day jobs.”

Wireless policy management, auditing and cost savings
An organisation can implement as many wireless security policies as it likes, but auditing and monitoring them to make sure that users are sticking to the rules is essential for proper enforcement.

Otherwise, there is a strong chance that the IT department will remain oblivious to report vulnerabilities which the policies were designed to eliminate in the first place. In some cases, routers can be reset and will default to using less-secure WPA encryption, for example, or users can ignore corporate guidelines and continue to access the public Wi-Fi networks before attaching to the corporate LAN.

Of those surveyed by Vanson Bourne, 56 per cent said they believed their own employees often flouted security measures by sending sensitive corporate data over unsecured Wi-Fi links rather than VPNs.

Organisations should not limit wireless policies to specific departments or groups, or make them too verbose or complex. Rather, a single set of rules should be implemented across the entire organisation, and kept short and simple in order to make it easy for users to follow and put them into practice.

Any IT department confident that it has no issue with wireless security now needs to take a look at the future. Most hacker activity has so far targeted Wi-Fi networks and Wi-Fi-enabled devices simply because these are so widely used to access corporate network environments.

But as the popularity of smartphones and other types of mobile device with new mobile operating systems increases, hackers will quickly turn their attention to infiltrating applications designed for that class of device as well, and that means breaking into cellular 3G and other mobile networks, as well as Wi-Fi.

Any organisation that is serious about protecting its data needs to think about implementing effective wireless security measures sooner, rather than later.

Securing the WLAN

Martin Courtney asks how IT departments handle security and user access management on wireless networks

WLAN security tips

A determined hacker will stop at nothing to gain access to a target organisation’s wireless network, and no single WLAN can ever claim to be 100 per cent secure. However, following basic rules around WLAN patching, authentication and infrastructure configuration can thwart the vast majority of potential threats.

Here are 10 to get you started:

• Make sure security software on end user laptops and portable devices is up to date, with current versions of operating systems, firewalls, web browsers, and anti-virus and anti-spyware software. Standardise on a small number of vendors’ security software and configurations for multiple devices.

• Implement strong authentication and password policies requiring combinations of alphanumerical passwords which are periodically changed, and make sure users connect only through authentication servers, ideally using MS-CHAPv2, EAP-PEAP or EAP-UTIL authentication protocols or similar.

• Do not broadcast SSIDs. Many Wi-Fi devices broadcast their SSID by default, which can alert the casual hacker to its presence. Turning this off can help, although the SSID can still be discovered using sniffer software.

• Implement strong encryption within APs and client devices, such as WPA-2 rather than WEP – which can be cracked with freely available tools downloaded from the internet – or WPA.

• Consider using application-layer authorisation protocols such as SSL or SSH to encrypt traffic, or software clients to establish virtual private networks to protect every WLAN session.

• Configure the router to allow only devices with specific MAC addresses to access the network. Remember, however, this is not foolproof. It only provides protection when the wireless device is not connected – otherwise, wireless network sniffer software can intercept unencrypted MAC address headers transmitted in 802.11 data packets.

• Use wireless intrusion detection and prevention systems. This is software that monitors the radio spectrum to find unauthorised, or rogue, access points and block them to help prevent unauthorised access to LANs.

• Make sure only IT department-approved APs are attached to the network, and turn down transmit power on APs close to the office perimeter (such as exterior walls and ceilings). Also, consider turning off APs when not in use and encourage end users to turn off the Wi-Fi interface in their portable devices when they do not require internet or network access.

• Keep firewalls running at the perimeter of the local area network and encourage end users to always use their firewall when accessing both the internet and the intranet.

• Look beyond Wi-Fi to wireless devices, including barcode readers, handheld terminals, wireless printers and copiers which may use Bluetooth, infrared and other forms of wireless technology. These may also transmit confidential information and therefore need to be secured.

Read our legal Q&A on security and user access management here