5 steps to securing your corporate wireless network in 2009
Written by Anonymous on 11:48 PMUnlike Ethernet, wireless networks don’t stop at your front door. With open source tools like Kismet and penetration testing CD’s like Backtrack, it’s easier than ever to find and compromise Wi-Fi networks. When we designed the Napera N24, wireless security was a frequent area of concern for customers, and it continues to be a key driver for network access control deployments.
In the spirit of holiday list making, here are five guidelines based on our experience in the field to help IT managers tighten wireless security in 2009.
1. Have a wireless security policy before you deploy
I opened a dinner presentation at MIT once with a gag where I asked the audience to start writing their security policy on their napkin. The sad truth is that those folks bearing napkins with one or two bullet points are generally ahead of the curve. Many smaller companies lack written security policies.
A policy need not be long and complex. The important point is that it exists, you gave some thought to it and it is communicated clearly. A good policy evolves over time to support the objectives of the business and mitigate potential risks.
Write a clear policy on the use of wireless and circulate it to your users. At a minimum, identify who and what is permitted on your wireless network. Mandate a standard for strong wireless encryption and authentication, and spell out how guest access is supported.
Once company laptops are equipped with wireless, IT managers should be proactive in advising staff on the proper use of public hotspots, and the security implications of doing company business over wireless networks. Well designed applications have encryption built in, but there are plenty of legacy systems which are vulnerable to snooping. Don’t be a sheep!
2. Secure the infrastructure when you deploy it
Most access points ship with well known default admin credentials and a default SSID, which is a red flag to wireless intruders . Change them! I’m constantly amazed at how many wireless deployments neglect this important step.
3. Avoid WPA-PSK shared passwords if possible
I’ve blogged on the weaknesses of WPA-PSK shared passwords extensively. Any password that is shared between many employees and guests tends to lack complexity (because of the need to share it) and can be brute forced with off the shelf software. Shared passwords are insufficient to protect commercial wireless networks. If an employee leaves or a laptop goes missing, WPA-PSK passwords should be changed. Even when managed well, there is no easy way to audit who is using a WPA-PSK protected network. Unless you really don’t have anything of value on your network, it’s simply not good enough.
WPA Enterprise is the best solution to this problem, because it allows individual usernames and passwords for wireless access. Traditionally WPA Enterprise has been painful to deploy because of PKI and RADIUS requirements. With the Napera N24, we made deploying WPA Enterprise easy, because the N24 was designed with a RADIUS server and a valid certificate built in. Even better, you can use your Active Directory to authenticate users, and you can allow guests restricted access via wireless.
4. Don’t rely on outdated security features like WEP, MAC access controls or hidden SSID’s
Some features offered by access points are simply security by obscurity. They may be fine for grandma, but they add nothing to corporate IT security.
WEP hasn’t been secure for years. Don’t use it. If you absolutely must use WEP, assume all of your communications will be in the clear and anyone can access your network. You should probably put your WEP access points outside your firewall. Even better, put them on Craigslist and buy new access points that support WPA2.
Restricting wireless devices by MAC address is futile, because it provides only a trivial obstruction and adds a large administrative burden. Any moderately skilled intruder can bypass MAC filtering by monitoring wireless traffic and forging their own. It’s not worth the administrative effort.
Turning off the SSID beacon may make you feel more secure, but only makes your network invisible to average users (and less useful to everyone, especially guests). Kismet will reveal the ‘hidden’ SSID.
5. Make sure your laptops are protected and kept up to date
Now that you are deploying Wi-Fi laptops, they will be exposed to wireless networks outside of your office. Make sure those laptops are protected with desktop firewalls, antivirus and the latest operating system patches, and kept up to date. And make sure you check these devices when they return to the office, so they don’t bring anything unpleasant back to home base.
Bonus tip- Use WPA2 with AES encryption, not TKIP.
Per my blog post last month, using WPA with TKIP encryption is looking problematic, and one hack has been published. In my experience, where there is smoke, there is fire, and we will see more TKIP hacks in coming months.
Beat the rush and deploy WPA2 with AES-CCMP encryption, regardless of whether you use WPA-PSK or WPA Enterprise. Most modern clients and access points support WPA2, and you should be able to migrate smoothly. If your access points don’t support WPA2, think about upgrading them in 2009.
What’s your tip?
Most users love wireless, and the mobility and price points offered by Wi-Fi are tough to beat. There are plenty of security issues to consider and it’s easy to lose sight of the goal amongst all the hype and acronyms. I’m sure I’ve overlooked some great ideas, so feel free to post them below.
Start 2009 on a positive note by making sure you’ve reviewed this list, and I’ll keep blogging on more ways to keep your wireless secure.
From napera
| Posted in »
0 comments: Responses to “ 5 steps to securing your corporate wireless network in 2009 ”