The weakest link?

Wireless networks are finally shedding their insecure image, as a host of high-end features makes them safer than ever. But for enterprises, the critical factor still lies in the effective deployment of a wireless LAN. NME reports on the latest policies in wireless security.

  • E-Mail
By  Administrator Published  December 31, 2006

Wireless has always been a leaky medium – from the earliest attempts to secure radio frequency communications, the ease of acquisition of the signal has made radio signals inherently more likely to be compromised than discrete communication. Until recently, most forms of cryptography have been susceptible to attack, especially with enough source material – exactly what wireless communication is able to deliver in quantity.

So the deployment of wireless networks within enterprises has always had a conceptual barrier – recent memories of eavesdropping on cellular phone conversations cannot have helped persuade sceptical managers that Wi-Fi offers sufficient security to allow sensitive company data to be transmitted safely.

It didn’t help that Wi-Fi security failed to deliver. The original Wired Equivalency Protocol (WEP) used only limited encryption, and hackers and security researchers quickly and graphically demonstrated its weaknesses.

“There are security risks on wired networks, and with WEP, a lot of those carried over to the wireless world; in addition, wireless offered some risks of its own,” says Michael Coci, technical director for EMEA at Trapeze Networks. “As wireless became more popular, the risks became more severe – with more clients and more activity. And the media did a good job of exposing those risks and making people aware of them.”

The result was Wi-Fi Protected Access (WPA), followed by the 802.11i security standard (also known as WPA2) – a much more secure approach to locking down wireless communications. Cracking WPA systems requires more computing power than the average enterprise would be able to muster – for all intents and purposes, it is secure.

Hishamul Hasheel, technical sales manager for US Robotics in the Middle East, says: “The whole wireless security is a very subjective term – as wireless technology is evolving, so too is wireless security. Wireless security is no more a concern to an enterprise, in terms of switching from a wired network. In terms of the enterprise wireless, whatever is required to make up a secure wired network, this is the same for a wireless network. Looking at end-to-end security, whether it’s based on a simple WEP key or high-end encryption with WPA2, security is embedded in almost all wireless products that are available on the market today.”

Sadly for network managers, wireless security does not end there, as Hasheel is quick to point out.

Technically the various components of wireless networks may have the capability to be very secure, but actually making the network as a whole impregnable is more of a challenge.

“A lot of time when talking about security, people start focusing on equipment – they’re hoping that somewhere there’s a magical piece of equipment that will allow them to be secure,” says Fabio d’Emilio, vice president of operations at wireless and telecoms specialists LCC. “The way you have to look at it is that security has to be end-to-end – there are different points where you can hack the network, whether it be the authentication phase, the veracity of the data you’re inputting, in actually putting down the network by doing a massive ping attack.”

D’Emilio explains that wireless security is a matter of process: “You have to look at the direction of the enterprise. First of all, do they actually need wireless LAN? A lot of companies go out and say ‘I want wireless LAN’ – do they have a need for it, are people actually that mobile within the office? Are you looking at wireless LAN for cost reasons – you’re refurbishing the office and you don’t want to put the wires in any more? Once you have identified the need, then you can start encapsulating the process in a safe environment; this is what’s sometimes called the peel of the onion – the centre is what you want to defend, and then you start putting peels around it.”

Many vendors and observers express concern that significant numbers of enterprises in the Middle East are not sufficiently clear on the need to design an effective process and set of policies around wireless networks. “I don’t think there are too many companies in the Middle East that have a well-defined security policy when it comes to wireless,” says Harrison Albert, sales manager for D-Link Middle East.

Tariq Hasan, sales support manager for Symbol Middle East comments on the subject: “Enterprises are realising that they need to do something about wireless security – but I don’t think many enterprises in the Middle East have someone who really understands about the various attacks and how to prevent them.”

Extreme Networks’ technical manager for MENA, Majdi Babaa, says the situation depends on what industry is deploying the wireless network: “Especially with financial institutions, you see them deploying wireless security from day number one. It doesn’t cost them anything – they have the resources already, it’s just a matter of tweaking and configuring them.

“But for the rest of them, probably some of them they know it’s there, but because it’s a new field for them – they don’t try to implement it, or they think it’s difficult to implement. Our purpose when we do demos is often to show them that it’s very simple – it will probably take less than a couple of hours to configure the system.”

Enterprises have a number of very effective strategies availabel to them which can help to secure a wireless network, in many ways more than are available on wired networks. Trapeze’s Coci argues that this is thanks to concerns over wireless security which have driven investment in greater security efforts.

“What happened then, is wireless actually leapfrogged a lot of the developments that were happening on the wired side,” he says. “One of the built-in conceptions about security on a wired network was that primarily it rested in the hands of physical security; most of it is centred around the fact that I have a guard at the front door, that I lock my doors at night, that I shut my windows. So once you break that physical security boundary, there’s not a lot of system-level security measures in place.”

One tactic to help confine wireless networks to within a particular site is to be intelligent about something as simple as power levels. By monitoring the signal strength of wireless clients, it is possible to prevent extra-mural access to a large extent, explains Extreme’s Babaa.

“You can also introduce controls to stop users accessing the network from outside the site; if you know that everywhere in your site has more than 30% signal strength, then you can deny access to users below that, as they will be accessing the network from outside the building,” says Babaa. “This does depend on doing a very effective site survey, but there are planning software tools you can use to help with this.”

Another effective tactic can be to use the dual-radio capability of a lot of wireless systems to detect rogue access points or devices. Tahir Khan, systems engineer at 3Com Middle East, says this is something his company can offer.

“We have devices that have dual radios – such as for 11a and 11b/g – can use one of the radios for communication, and the other to monitor and identify untrusted access points or clients,” he says. “It works like a radar, and then keeps them away from the network. The controller, the central switch, picks up the details of all the access points, and identifies them as friendly devices – it can also use a trusted device list using MAC addresses. So any other radio devices not on the safe list are considered untrusted devices: the switch quarantines it and removes it from the network.”

A similar approach comes from Symbol’s Hasan: “Users need to be aware of the types of attacks that hackers can launch, and what technologies and processes exist to help then prevent these attacks, and even launch counter-attacks. Once a device has been recognised as a rogue device, you can start sending de-authentication frames – kind of a denial of service attack against the client system. If you just keep on sending the de-authentication frames to the device, it is not able to go back and associate with the network.”

These approaches are essentially based around policies rather than technology, and have more to do with intelligent design of a network than anything else. In a similar way, organisations need to be clear on who needs to use the network, and for what purpose – by doing this, enterprises can ensure users receive appropriate access, sensitive data is kept away from easily-accessible networks, and the organisation does not spend a fortune on high-end security for users which do not need it.

Extreme’s Babaa gives an example of a three-layer wireless configuration, through what he calls ‘access domains’: a guest domain, which has little or no security, and only offers internet access – there is no connection to enterprise systems. Then comes a domain for handheld devices, such as barcode scanners or similar systems – this has access to networked applications, but only in a specific area, say the shop floor or warehouse, and will have basic security such as WPA.

The final network domain is for corporate users – this will have the highest level of security, such as two-factor authentication, AES, and other advanced systems. Babaa says this system is unique to Extreme Networks, in the way it is implemented.

Access to these domains comes from pre-approved lists, with client devices identified by MAC addresses. Asked about the possibility of MAC spoofing, Babaa says: “The access point will lock down the MAC addresses coming through it. So I know that five or six MAC addresses are coming through this access point. The access point is already connected to a switch, and the switch is also limited by MAC address VLANS. I assume that these devices are on all the time – the switch and the access point will monitor that.

“If a MAC address disappears and reappears, then I know that something is wrong – someone could be trying to spoof this MAC address. Immediately the network will put the MAC address in suspend, until we know what’s happened – we can check, validate the device, and ultimately decide what to do with it.”

In modern wireless networks, the client devices are the weakest part of the security chain – while enterprises can ensure high levels of security and full control of infrastructure components, clients are always – to a greater or lesser extent – at the mercy of users, especially if devices are not standardised across an enterprise.

This has recently become more of an issue, thanks to the discovery by security researchers last year of serious flaws in Broadcom wireless device drivers – and the expectation that other chipsets may not be immune (see boxout). At this stage, no attacks based on this vulnerability have been recorded – and the flaw is mitigated in large part by being wireless-based: a hacker would need to be close to the afflicted client to exploit the flaw.

“The threats that have been identified are centred around what the hacker can do to the laptop itself rather than the potential to use the victim’s laptop as a method to gain entry to the corporate WLAN,” says Trapeze’s Coci on the subject. “The real responsibility for solving this issue lies with the wireless card manufacturer and the laptop OS vendor. In addition, the user logging in from the laptop should have access only to the network resources that are defined by the IT or network administrator beforehand.

“Again, there have not been any real-world attacks of this kind reported, and the best/most protection that can be provided by the WLAN infrastructure is endpoint remediation such as SODA (Sygate on demand) or NAC/NAP (network access control/network access protection), which will check the laptop for any known viruses, malware, and so on, before allowing it access to the network.”

Wireless security is now pretty effective at the technical level, badly-coded drivers notwithstanding. The 802.11i standard has included fairly heavyweight encryption systems, and many vendors – especially in the enterprise market – make much of additional security layers and tweaks. One method, which is particularly appropriate in public access environments, is to combine several different types of security system.

“There’s handset-based security, using triple-DES, PKI; there is also security from a WAP (wireless application protocol) point of view, looking at delivery from the web, and how that translates to Wi-Fi,” says Kenny Young, chief marketing officer at LCC. “We’ve also seen trials where both are combined, and you see the combination of triple-DES and WAP – it’s amazing, when you start to apply both of these; you see a mathematical formula that just continues to grow, making it harder and harder to decrypt the data.

In some cases it’s actually easier to do security on wireless than it is on the wired side of the network.”

Wireless is set to become an even more integral part of the enterprise in the near future, as new 802.11n products offer wire-speed wireless access. In addition, the growth of wireless technologies such as Bluetooth and Ultra Wideband (UWB) for short-range communication, will continue to mean wireless is at the forefront of networking. But with the growth of effective security, wireless is currently safer than at any time in the past.

Top wireless policy tips

Enterprises can minimise the risks they take with wireless networks, by making sure they construct effective policies around wireless use.

  • Why wireless? Does the enterprise actually need a wireless network? Who will be using it, and for what? Decide this before deployment.

  • Limit access If the WLAN is for guest access, make sure it has no connection to the main corporate network. If it is for the shop floor, make sure there is no link to other business areas.

  • Secure devices Make sure client devices are as secure as possible, to limit the scope for hackers to gain access through a vulnerable device such as a laptop or PDA.

Wireless intrusion prevention

Intrusion prevention is a fairly established concepts within the network core, but now vendors are coming out with new wireless IPS offerings, promising enterprises the ability to defend their wireless networks proactively. Colubris and Symbol are two such vendors with products on the market.

Colubris’s director of marketing, Carl Blume, talks about his firm’s system: “Our RF Manager wireless IPS system is right at the front end; it’s comprised of a central server, and wireless sensors which are used to scan the site for threats, such as ‘man in the middle’ attacks, spoofing, honeypots – about eight different threat categories which enterprises might encounter.

“Many of the techniques we use to defend the network are proprietary – that’s part of our ‘secret sauce’. Suffice it to say, we monitor the traffic, we correlate information received over the wired and wireless network among devices under observation – this is where our central server comes into play, analysing all the information from the wireless sensors.”

Symbol says of its system: “Symbol’s Advanced Services for Wireless Intrusion Protection System (Wireless IPS) helps organisations achieve peak performance and value from their Wi-Fi network infrastructure through the successful design and deployment of Symbol’s Wireless IPS. This system offers exceptional security for wireless networks, with around-the-clock protection from external threats potential wireless network security concerns.”

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code