The Right Way to Go Wireless
WIRELESS APPLICATIONS continue to proliferate in the corporate world, but the security of wireless networks lags behind that of wired networks. “It’s the Achilles’ heel,” says Amit Sinha, Ph.D., chief technology officer at wireless security firm AirDefense, based in Alpharetta, Georgia.
Sometimes armed only with a laptop (and possibly an antenna), hackers can use free software to capture information on wireless traffic such as the access point (AP) name, its Media Access Control (MAC) address, and determine whether it’s using Wired Equivalent Privacy (WEP) encryption or the stronger, newer Wi-Fi Protected Access (WPA) protocol. If a hacker can find an AP that is unencrypted, software can capture information such as e-mails and passwords. After obtaining information such as a password, hackers can gradually make their way onto an organization’s network, searching for proprietary information.
“[Hackers] typically use a gradual pattern of attack,” says John Pescatore, a vice president at Gartner, Inc. It can sometimes take weeks or months to break in and locate data such as credit card and Social Security numbers, he says.
Up to 90 percent of wireless security incidents will stem from misconfigured APs, according to a recent report by Gartner. Misconfigurations could include a point in a secure network that doesn’t require authentication or that uses outdated encryption. Causes can include human error or bugs in the AP management software.
What can be done? There are two sides to any solution: policy and technology.
Creating good policies and procedures is the first step toward effective security. A good policy involves finding the right balance between risk management, the use of technology, and the business benefits, says Greg Bell, lead IT security partner at KPMG’s IT Advisory Services Practice. It’s also essential to have solid audit and control mechanisms, he says.
Probably the most important element is awareness of a network’s integrity, adds Pescatore. “A company wants to make sure it knows where all its access points are. You don’t want people to be able to plug a wireless network into an Ethernet jack and create their own wireless network.”
An effective way to gain this awareness is through some kind of monitoring solution, he says.
Policies should also address specific issues such as employee protocols and training, guest usage policies, response teams, and certification requirements for IT staff.
To boost security, organizations need to employ multiple solutions. Some devices to consider include those that monitor AP and network traffic, encrypt communications, authenticate users, secure the transmission path, and scan other devices before allowing them to connect wirelessly to the network.
IDS. One increasingly popular monitoring solution is an intrusion detection system (IDS). It provides information on the APs, such as an ID number and MAC address, and it can also detect software misconfigurations. IDSs can see when an additional machine connects to a network as well as monitor for any unauthorized access. They also guard against man-in-the-middle and denial-of-service (DoS) attacks. Additionally, they filter malware, such as viruses and Trojan Horses.
IDSs consist of wireless local area network (WLAN) radios, a console to configure settings and view alerts and other data, and software to log events. Increasingly, major WLAN system vendors such as Pleasanton, California-based Trapeze Networks and San Jose-based Cisco Systems, Inc., are equipping APs with two radios, one for service and another to serve as a security monitor. Mainly through business partnerships, these vendors then integrate IDSs into their systems. Cisco, for instance, has partnered with AirDefense; Cisco customers can monitor for intrusions through Cisco’s management console.
Most systems use some form of triangulation, showing a map depicting the location of the event if there is an alarm. Trapeze’s product, for instance, displays a floor plan. “I can pinpoint where the rogue access point’s sitting,” says Coy Thorp, a senior network engineer at the Santa Clara, California-based software development firm Symyx Technologies, Inc. At that point, the system administrator can remove the point from the network or take other action.
One of the best aspects of using an IDS is the capacity for forensics, says Dan Scott, lead systems engineer at Texas’ Round Rock Independent School District. The district uses AirDefense’s flagship IDS, called Enterprise, and has about 70 sensors placed across 46 facilities. The Enterprise system keeps minute-by-minute records of connectivity with the network, and updates and maintains around 300 different statistics for each AP.
“I can see access being picked up from the sensors that could be from someone across the street, and I can see if it’s something I need to be concerned with,” says Scott. “For instance, if the attempted access is continuous, it could be an attempted hacking. It helps alleviate a lot of the false positives.”
The reports can be generated manually or automatically on a regular basis.
Before AirDefense, Scott says, his staff would have to walk near each AP with a laptop and software and sniff it for misconfigurations and other problems. Now, district IT employees simply take turns watching the IDS monitor. He does that in lieu of having the monitoring be the fulltime responsibility of any one person.
Encryption. WLAN encryption has improved significantly in the past six or seven years. The original wireless security protocol, Wired Equivalent Privacy (WEP), uses 128 digit keys encrypted using an algorithm called RC4. With WEP, each client machine is assigned one key per session.
Combining WEP with the 802.1X authentication protocol improved security by forcing a WEP client to ask for access to the network, using the Extensible Authentication Protocol (EAP). Still, WEP remains vulnerable to hackers, who can read enough wireless packets to generate the required WEP key in a few hours. Tools such as Airsnort and Wepcrack, which passively sniff wireless traffic, make this easier.
Wi-Fi Protected Access (WPA), which uses encryption called Temporal Key Integration Protocol (TKIP), offers companies a major advancement over WEP. It changes the key used by each client several times per session. In a further improvement, WPA2 has replaced RC4 with a stronger algorithm called the Advanced Encryption Standard (AES).
Many companies have legacy WEP networks, while others have devices that do not have sufficient processing capabilities to allow them to implement WPA2’s enhanced computational requirements. To remedy this, a handful of vendors offer WEP Cloaking, which provides an additional layer of security on the WEP key.
Endpoint security. Frequently, organizations use virtual private networks (VPN), which consist of one communications network tunneled through another one, to access file shares and e-mail.
A growing number of organizations are strengthening their VPN security by using Secure Sockets Layer (SSL) technology, which has traditionally been associated with e-commerce and banking. An employee at a hotspot can enter an address and get a secure browser connection. The technology is interfaced to a VPN appliance at the company’s core data center, and can be centrally managed.
“That’s good if my laptop dies and I need to connect from a public machine,” says Forrester Research Analyst Chris Silva. “It essentially allows a secure private network in an enterprise to extend to any point and allows the IT department to determine which assets reach that endpoint and which don’t.”
Scanning. Increasing numbers of firms are also opting for an emerging generation of network access control (NAC) technologies that can scan devices to ensure that they’re healthy before granting them access. Such solutions look for updated security software, critical patches, and operating system updates; they can also quarantine clients while providing remediation services. Cisco’s Network Admission Control and Microsoft’s Network Access Protection are among the NACs available today.
Next to publicized data breaches, regulations are a big driver of wireless security. While regulations such as the Health Insurance Portability and Accountability Act (HIPAA) discuss making “best efforts” regarding WLAN security, the PCI Data Security Standard gives the most specific wireless security recommendations, says Forrester’s Silva.
One PCI requirement is that networks handling customers’ financial data must be sectioned off from other networks. (This can be accomplished through a VPN, for instance.) PCI also requires use of the WPA2 encryption standard when transmitting such data.
More than 50 percent of retail and wholesale companies have invested in WLAN, says Silva, a number that’s growing. But many of these companies have faced implementation challenges mainly because of the amount of infrastructure that needs upgrading. Infrastructure can include handheld devices that swipe credit cards, data collection terminals, wireless point-of-sale terminals, and managers’ workstations.
Fortunately, even moderate WLAN security investments can reap big benefits. That’s according to a recent report by the Aberdeen Group. It found that organizations with “best-in-class” wireless security lost only about $5,000 on average in data breaches over a recent 12-month period, compared to $600,000 on average for all the others.
Best-in-class firms made up the top 20 percent. The best group spent about $55,000 annually on WLAN security, compared to about $43,000 for all the others.
The study, which examined 280 organizations across a range of industries, determined the best-in-class by how they addressed issues such as rogue access points, network attacks, and security breaches. (The study termed organizations in the middle 50 percent “industry average,” while the bottom 30 percent were called “laggards.”) About 60 percent of participating organizations were in North America and 40 percent from other regions.
While best-in-class firms were labeled as such because of their performance, they had several other characteristics in common. In the area of policy, they were more than 2.6 times more likely than the laggards to have IT staff certification policies. They were 57 percent more likely than all others to have a CSO, and 19 percent more likely than the industry average to have a guest access policy. In terms of hardware, the best were approximately twice as likely as the laggards to employ IDSs. They were also more than 44 percent more likely than all others to use WPA2 encryption.
Aberdeen found that the top performers were able to respond to a rogue access point alert in seven and a half minutes, almost 17 times faster than the others. The best in class also began investigating a security breach in 8.4 minutes on average, 13 times faster than the others. It took them 8.8 minutes to begin investigating a network attack initiated over the WLAN, more than 6.5 times faster.
In the Aberdeen report, there are specific WLAN security recommendations. While they segmented them by class, they really apply across the board.
The recommendations included: have a chief security/technology officer or a compliance officer; ensure that IT staff have appropriate certifications; develop rogue-access-prevention policies, as well as authorized guest access usage policies; monitor the network in real time; and have an incident-response team.
Astonishingly, only 26 percent of even the best-in-class organizations monitor their networks live and only 47 percent have incident-response teams—showing that even the best have a way to go before they can really be said to have top-notch wireless security in place.
Companies must also make sure that security solutions are periodically reassessed and updated, says Greg Murphy, chief operating officer at Airwave Wireless, a wireless management software provider based in San Mateo, California. “Just because you turned security on once a long time ago doesn’t mean you can maintain it.” He points to the transition from WEP to WPA2 as an example. “That’s where risk truly gets introduced, making an early investment and then not keeping up.”
John Wagley is an associate editor at Security Management