LARGE ORGANIZATIONS—or smaller organizations with high-risk profiles—differ from small office/home office (SOHO) networks both in the complexity of their networks and the lengths to which they must go to maintain security. In a general sense, the best way to secure a wireless infrastructure is through a layered approach similar in concept to that for smaller organizations, albeit broader in scope and more comprehensive. In this chapter, you will look at more advanced concepts in wireless security. Some of these will be unique to the needs of these networks, while others will be extensions of concepts and techniques basic to any security approach.

Establishing and Enforcing a Comprehensive Security Policy

One of the ways that small and medium enterprise (SME) organizations differ from their SOHO counterparts is that there is always a network administrator and one or more individuals responsible for the design and security of the network. Before he or she implements any security techniques or mechanisms, the administrator’s task is to analyze the network’s security requirements and decide on a security policy.

A security policy for an enterprise will cover every aspect of the organization’s information assets. Wireless access is only one component of a security policy document, but because it is relevant here, it will be examined in an initial high-level overview. The policy breadth and level of detail should be in line with the company’s overall goals, its available resources, and its internal security requirements, as well as any external or regulatory requirements. Several of the more common policy points are described in the following sections.

Centralized Versus Distributed Design and Management

When you’re designing a new wireless network, or when redesigning an existing wireless network due to new technologies or requirements, the first step is to consider whether it’s better to have a centralized or distributed security architecture.

With a distributed architecture, each access point must be configured separately both for performance and security reasons. The access point will also work with other network devices to ensure an end-to-end secure service. For example, the access point may provide encryption, but a centralized Remote Authentication Dial-In User Service (RADIUS) server might be responsible for authentication. A single firewall might ensure secure access control from multiple access points.

A centralized architecture, on the other hand, will use authentication, encryption, and access-control servers to administer and manage security. A centralized solution is characterized by the deployment of thin access points (access points consisting of a radio and antenna connected to a wireless switch) and one or more centralized controllers. For larger networks or campuses, centralized control tends to work better because of the time savings it offers for maintenance. A centralized approach can also greatly simplify design and control.

This simplicity is a key consideration. Complexity tends to breed mistakes in implementation, visibility, and control, and the “bad guys” look for mistakes to exploit. In many cases—especially targeted attacks—cybercriminals use bots, or programs that perform automated tasks, to look for holes in network defenses. Generally speaking, the simplest design that meets the mission objectives is the best choice, all other considerations being equal.

Remote Access Policies

Today, Internet Protocol (IP) mobility is a major influence in wireless network design. Users require access to network resources everywhere—even when traveling between locations. IP mobility has transformed the way users connect to the network by employing a much wider range of wireless-enabled devices. The challenge to the network designer and administrator is to ensure that the network security is robust and uniform across the entire network.

The first step in fulfilling that requirement is ensuring that there is a uniform, centralized authentication system throughout the network. Unless a device can be authenticated, access should be limited to guest Wi-Fi access outside the corporate firewall. Any applications that connect, such as e-mail or customer relationship management (CRM) apps, will require sign-on credentials, thus allowing access without compromising network security.

The second step is to consider whether to permit resource-intensive apps such as Voice over IP (VoIP) or Voice over WLAN (VoWLAN). These require unique performance and throughput characteristics and key performance indicators (KPIs) such as packet loss, latency (the delay in a network), jitter (a measure of delay variability), and availability. If these applications are not supported, this should be communicated to users. This will not prevent users from raising support issues, but at least it will give support personnel a policy they can point to. If resource-intensive apps become an issue—for example, creating performance problems for apps that are approved—they can be blocked by using protocol filters.

The third step is to ensure that telecommuters and traveling employees can connect through secure virtual private network (VPN) connections. This is imperative when employees access corporate resources via hotels, shopping mall hotspots, and unsecure wireless networks.

Guest Policies

Larger organizations often need to accommodate guests, whether they be vendors, clients, or suppliers. There is no “right” policy for guest access as long as whichever policy you do implement is clearly stated and understood. In the best case, there is also a stated reason for the policy, particularly if the policy is extreme (offering either full access or no access at all, although these are both rare in practice).

One way to handle guest access to the network is to establish rules for visitor authentication and policy control. The task here is to allow genuine visitors and guests access to the Internet and perhaps some intranet services, but restrict them from the corporate local area network (LAN).

Some organizations may not offer any Wi-Fi access at all. This policy has ebbed and flowed over the years. At first, it was rare for companies to offer guests Wi-Fi access. As wireless access became the norm, however, this began to change to a point where it was rare not to offer guest access via wireless. With the growing popularity of mobile-connected devices, however, it is no longer a great inconvenience not to offer wireless access; many people can check e-mail or connect to the Internet with a smartphone or tablet. Again, it’s not necessarily important what the policy is, just that there be a policy that people understand and (hopefully) that was put in place with some purpose or reasoning behind it.

Quarantining

Quarantining is the process of isolating a device from the network until there is some level of assurance that the device is both authorized to connect and free from malware. Whenever a device attempts to connect to a wireless network, it will be allowed access only if it complies with some defined wireless network policy. This can include basic authentication credentials, configuration checks to ensure patches are installed, and even malware scans. If a device does meet the connection criteria, is connected to a restricted IP subnet with access only to certain services—for example, an antivirus update server.

Another form of quarantine is to use a walled garden, which restricts internal access for the suspect device but allows access to instructions and services to remediate the outstanding compliance issues. A walled garden may also allow external access to the Internet. Another option is a captive portal, in which an HTTP session is forced to a landing page prior to gaining access to the Internet. This is a common technique used by hotspots either for payment or for the acknowledgment of a user agreement, but can also be used as a form of authentication or to check credentials.

Compliance Considerations

Regulatory compliance considerations are a complete topic unto themselves. A full treatment of the topic and its implications for wireless access is beyond the scope of this text. That said, it is worthwhile to provide a high-level summary given the far-reaching implications these regulations have on security teams.

Unlike internal policies, data-privacy regulations are externally driven. However well intentioned they are, these requirements are by definition forced upon organizations. In many cases, this isn’t necessarily a bad thing. Often, regulations specify best practices that many companies would have adhered to anyway (although this is not always the case). The issue that many people have with regulatory compliance is not with compliance itself, but rather the proof of compliance that various governing bodies require. This can often place serious demands on resources.

There are also instances where an internal policy or implementation of some security solution or process is often more effective (at least in the organization’s eyes) than a required policy or solution. Unfortunately, it’s rare that a home-grown solution supersedes a regulatory mandate.

All of this is not to say that government and industry security regulations are bad. It is true, however, that these regulations do have an impact with respect to policy and resources. Therefore, they must be accounted for in the overall security strategy and operation.

Employee Training and Education

Any company security policy that does not include employee training should be considered incomplete and inadequate. Employee training on security matters has always been a good idea, but even as recently as 10 years ago the lines between work and not work were much clearer. Back then, typically only a few employees had remote and/or wireless access (executives, knowledge workers, full-time remote workers, and so on). Today’s environment, of course, is quite different. It’s not an unreasonable expectation that nearly every employee will have a wireless-capable device—either their own or one provided by the company.

It’s easy to assume that because wireless connectivity is such a common aspect of people’s lives, education on security matters is perhaps not critical—the “everyone already knows” fallacy. This could not be further from the truth. In fact, one could argue the opposite. Because it is so easy to connect, most people are not mindful of the dangers. This is compounded by the ease with which applications can be added (from many sources) and the availability of easy-to-follow tutorials on customization and user hacks. (In this case, hack refers to a user modification or the shortcutting of some aspect of a device for the user’s benefit.)

All this points to a critical need for organizations to create and support policies regarding user education on security matters. Employees should be briefed on the risks of wireless security and given the training they need to protect both themselves and the organization from cybercriminals. This is a very inexpensive yet highly effective part of a comprehensive wireless security policy

Implementing Authentication and Access Control

The standard specifying Port-based Network Access Control (NAC) for LANs and wireless LANs (WLANs) is the Institute of Electrical and Electronics Engineers (IEEE) 802.1X standard. 802.1X is a standalone authentication specification (as opposed to an amendment of another specification) and is therefore noted with a capital X, per the IEEE naming standards. This IEEE specification addresses authentication mechanisms for environments that require robust security and access control.

Central to the 802.1X specification is the mechanism for per-user and per-device authentication. The process calls out three entities:

•  Supplicant—A client device looking to connect to the network

•  Authenticator—A network device such as a switch or access point

•  Authentication server—A server supporting an authentication protocol such as Extensible Authentication Protocol (EAP) or RADIUS

In this system, the authenticator acts as a gatekeeper, prohibiting any device access to the network unless and until the device has been properly authenticated. To be authenticated, the client must provide some type of credential. Depending on the authentication protocol, this could be a name and password combination or a digital certificate. These credentials are encapsulated in an EAP over LAN (EAPoL) frame.

The authenticator passes these credentials to the authentication server, which validates (or invalidates) them. The authentication server then notifies the authenticator if access is allowed. If so, the client can connect and communicate with the network. If not, access is blocked. (See Figure 8-1.)

Extensible Authentication Protocol

The Extensible Authentication Protocol (EAP) is a method of encapsulation used to securely transport keying material for encryption over wireless and Point-to-Point Protocol (PPP) networks. EAP is also used over LANs between the authenticator and authentication server and is referred to as EAP over LAN (EAPoL).

EAP itself is a generic authentication mechanism that transports authentication requests, challenges, notifications, and so on across the network. EAP works by creating a secure tunnel using Transport Layer Security (TLS). Credentials are passed through the secure tunnel to the authentication server. EAP does not need to know the method of authentication. Therefore, it can accommodate several credential options, such as username and password, certificates, tokens, biometrics, and more. However, due to its long association with PPP and VPNs, EAP is closely associated with RADIUS. For this reason, many access points have a RADIUS client built in.

Prior to the ratification of the 802.11i standard (Wi-Fi Protected Access 2, or WPA2), Cisco Systems developed the Lightweight Extensible Authentication Protocol (LEAP). LEAP was developed as a stopgap measure and does not protect credentials. Therefore, it is not recommended. It is likely, however, that you will still see access points that support LEAP, given its broad adoption in the industry.

Remote Authentication Dial-In User Service

Remote Authentication Dial-In User Service (RADIUS) is a network protocol that provides authentication, authorization, and accounting (AAA) services for devices or users connecting to a network. When a client attempts to connect to a network, the device (or user) is challenged by a network access server (NAS) device with a request for some type of credential.

The NAS passes the user credentials to the RADIUS server. If the credentials are verified (for example, if the username is found and the password is correct), the RADIUS server returns an access accept response. This response also specifies the user’s access attributes.

An access point with a built-in RADIUS client can communicate directly with both a client device and a RADIUS server. Consequently, the access point doesn’t need to know about users and passwords or certificates. It just needs to form a RADIUS packet from an 802.1X frame received from the Wi-Fi client and pass the authentication request on to the RADIUS server. It is the job of the RADIUS server to handle authentication requests and issue success notifications. The RADIUS server in turn connects to an authentication database (such as Microsoft’s Active Directory). This is the central repository for all the authentication data and can issue the success or fail notifications. In this way, the access point is not part of the authentication process but is merely a conduit passing authentication messages between the supplicant and the authentication server. The authentication process using EAP and RADIUS is shown in Figure 8-2.

An authentication request is met with an authentication response, which in turn creates an EAPoL tunnel. Once the tunnel is established, the EAP identity request and response are securely shared and the response is forwarded to the RADIUS server as an access request. This request initiates a secure Transport Layer Security (TLS) tunnel through which the RADIUS challenge and response are transmitted, after which the tunnel is destroyed and the corresponding accept or reject message is sent to the requesting device.

Intrusion Detection Systems and Intrusion Prevention Systems

Intrusion detection systems (IDSes) and intrusion protection systems (IPSes) are essential components in today’s wired and wireless networks. Both systems work by using deep packet inspection to look inside packets traversing the network. An IDS is purely a detection system. It will raise a flag if it detects suspicious activity on the wire or over the air. An IPS, on the other hand, actively confronts and blocks any suspicious traffic it detects. Both wired and wireless IPSes use known signatures of existing threats to identify attacks. They also monitor data streams to ascertain that the patterns and communication flows are correctly crafted for certain protocols—for example, HTTP requests.

A wireless IDS or IPS is commonly referred to as a WIPS. There are two types of WIPS:

•  Network-based WIPS—A network-based WIPS consists of sensors that are either in line or configured in promiscuous mode so they can sample and analyze all traffic crossing the network. A centralized server and console analyze and present the results.

•  Host-based WIPS—A host-based WIPS is an application loaded onto a server or client computer or device that monitors for threats in applications, operating systems, and files, as well as known suspicious behavior.

A WIPS is a crucial element in a wireless environment because it can detect and block suspicious activities coming from an attacker. A WIPS is particularly useful in mitigating man-in-the-middle attacks, rogue access points or evil twins, unauthorized associations, MAC-spoofing, ad hoc networks, denial of service attacks, and protocol misuse.

Protocol Filtering

Most access points support filtering of media access control (MAC) addresses, various Ethernet frames (EtherTypes), and IP protocols. To implement this, an administrator creates and applies the filters to the access point interfaces in both incoming and outgoing directions. MAC filtering is commonly used for access control and to prevent authentication and association by unknown client stations to the access point. However, it is easily overcome by MAC spoofing. IP protocol filtering, however, can be used to prevent the use of certain protocols on the WLAN, which can help mitigate security threats.

There are two types of protocol filtering:

•  EtherType protocol filtering—EtherType protocol filtering uses a protocol identifier to identify the protocol that is to be blocked. For example, to block EtherType IPX 802.2, the ISO designator 0x00E0 would be specified. It’s not uncommon to find obsolete EtherType protocols on older networks. Typically transmitted by network-enabled printers or other legacy devices, these protocols should be filtered out at the access point to reduce the potential security footprint.

•  IP protocol filtering—An administrator can also apply IP protocol filters, which can be configured on the access point by specifying the well-known port number for the specific protocol. By configuring filters to block specific IP protocols, the administrator can lock down the wireless segment to support only desirable IP protocols. By doing so, the administrator restricts the potential range of vulnerabilities for an attacker to exploit.

The administrator can create and assign granular levels of IP protocol filters by specifying a source IP address, a destination address, or both. Therefore, an administrator may allow Telnet, but only from specific host addresses or to certain destination addresses. Simple Network Management Protocol (SNMP), for instance, can be filtered and permitted only as a source protocol from a network management system (NMS) server, and not from just any wireless client.

Protocol filtering enables low-level granular control of the network protocols allowed or denied on the wireless segment and can be applied directly to the radios or the Ethernet port in both directions. An administrator will typically filter SNMP because, along with the various discovery protocols, it’s a prime tool that attackers use to enumerate and map networks.

Authenticated Dynamic Host Configuration Protocol

The goal of authenticated Dynamic Host Configuration Protocol (DHCP) is to supply only an IP address and a network configuration to previously authenticated clients. One way to achieve this is through a captive portal. In this design scenario, a user joining the network for the first time will attempt to connect with his or her device to the wireless network. Once associated with the access point, the user’s device will broadcast for a DHCP server over the Layer 2 connection. The DHCP server will hear the request but will have no prior knowledge of the MAC address from which the request is coming. Therefore, it will issue the device an IP address for the captive quarantine portal.

The quarantined device is then automatically directed to a captive portal, which will challenge it for a username and password (often authenticated against either a RADIUS or Active Directory server, but there are other options as well). Once authenticated, the MAC address of the user’s device is recorded in the authenticated list of devices/users and is reassigned an authenticated IP address and full network configuration.

Another method commonly used in large organizations is 802.1X port control. With this method, the 802.1X protocol shuts down all traffic coming out of the logical port connecting the user’s device with the wireless network except for EAPoL encapsulation authentication messages. By doing so, the protocol blocks all traffic apart from the device’s authentication messages to the access point and the RADIUS server. When the RADIUS server authenticates the user or device, the 802.1X protocol opens the logical port to allow the unrestricted flow of traffic, such as DHCP broadcasts.

Data Protection

Data protection is essential to wireless security. It must be implemented correctly to prevent unauthorized access to the system and the replication or theft of valuable data. The IEEE 802.11i standard security amendment (ratified in June of 2004) came about as a result of the inherent weaknesses in the data-protection schemes used up to that time. It stated that for any organization with even minor concerns about network and information security, Wi-Fi Protected Access 2 (WPA2) must be in place. Further, unlike SOHO offices, where Wi-Fi Protected Access 2–preshared key mode (WPA2-PSK) is sufficient, larger organizations (or smaller organizations with higher security profiles) should use WPA2 Enterprise.

For enterprises and large organizations, the 802.11i standard requires 802.1X for Enterprise mode as the authentication mechanism and Advanced Encryption Standard–Counter Mode Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP) as the confidentiality cipher algorithm. CCMP has built-in integrity mechanisms, so it does not require an additional method of integrity assurance. Therefore, 802.11i requires the use of 802.1X for authentication and AES-CCMP for confidentiality and integrity.

WPA2 Personal and Enterprise Modes

For small offices and home users, using WPA2 with preshared keys (WPA2-PSK) is a good solution. The main benefit of using WPA2-PSK is that it is easy to set up and use. In addition, given the relatively small number of users, it’s easy to manage. Even if the passphrase must be changed from time to time, the small number of users keeps this task from being too onerous. Remember, however, that with WPA2-PSK, both the clients and the access point must be updated if a change is needed.

In larger organizations, this fact makes the use of preshared keys unmanageable given the large number of employees and the frequency with which people come and go. If the preshared key had to be changed every time there was a personnel change, it would overwhelm the IT support team. Worse, if the preshared key were not changed, it would create a security vulnerability, as there would be non-employees (some of whom could be disgruntled after being fired) who still had a valid pass key.

To solve this issue, WPA2 Enterprise takes advantage of RADIUS-based authentication. This can be done with 802.1X devices with a Network Policy Server (NPS). With RADIUS, each user is authenticated on an individual basis from a single server, regardless of which device is used to access the network. One of the benefits of this is that when an employee leaves, it’s a simple matter to update that user’s credentials in the RADIUS server. Additionally, RADIUS authentication is achieved through a secure tunnel connection. So after a client has been verified, the session encryption key can be securely passed through the tunnel established in the authentication process.

Internet Protocol Security

Internet Protocol Security (IPSec), is an open-standard suite of protocols designed to secure every packet in an IP stream traversing a network between partnering endpoints. A secure session must be initiated and set up before IPSec can secure the traffic. Therefore, it is predominantly used in point-to-point or client-server configurations.

IPSec consists of several security protocols:

•  Authentication Header (AH)—The Authentication Header (AH) provides authentication for data origin and integrity while also providing protection against replay attacks.

•  Encapsulation Security Payload (ESP)—The Encapsulation Security Payload (ESP) provides confidentiality as well as authentication of the data’s origin and integrity.

•  Security Associations (SA)—Composed of the algorithms that provide the security parameters enabling AH and ESP to operate, Security Associations (SA) provide the framework for secure key exchanges.

IPSec operates in one of two modes:

•  Transport mode—In transport mode, only the payload is encrypted and authenticated. If AH is used, the IP addresses must remain fixed or the hash value for the headers will be invalidated.

•  Tunnel mode—In tunnel mode, the entire packet, including the headers, is encrypted. Tunnel mode is used most often when configuring fixed-link VPNs between backhaul access point links, between routers over point-to-point links, and between campus buildings.

IPSec is a very secure protocol suite that’s easy to implement with a shared secret, which is built into Internet Protocol version 6 (IPv6). But it can be tricky to configure in larger Internet Protocol version 4 (IPv4) networks due to its complexity and range of individual components. IPSec is commonly used in fixed-link VPNs and secure remote access client/server VPNs. IPSec’s complexity increases at an exponential rate, such that n × (n − 2) tunnels must be configured, where n equals the number of sites to be connected. Because many enterprise protocols require any-to-any connectivity (VoIP, for example), using IPSec can represent a trade-off between security and performance. IPSec is built into Internet Protocol version 6 (IPv6), making it easier to implement.

Virtual Private Networks

Virtual private networks (VPNs) are an essential component of any wireless network, especially for remote client access over unsecured networks. VPNs provide an extension of the corporate private network over the unsecured Internet. A VPN is created by establishing a secure virtual point-to-point link with virtual tunneling protocols and secure private key exchange.

A VPN can be classified by how it connects. Some VPNs allow employees to communicate remotely with the work network when traveling or working on remote client sites (remote access VPN). Others connect satellite offices to the corporate head office network (fixed-point site-to-site VPN). In both cases, VPNs provide security through confidentiality, data integrity, and source authentication.

There are several technologies that can be used to build VPNs, including IPSec, Layer 2 Tunneling Protocol (L2TP), Secure Sockets Layer/Transport Layer Security (SSL/TLS), Secure Shell (SSH), various vendor-specific technologies, and Data Transport Layer Security (DTLS). DTLS is a very important new addition, as it can tunnel over User Datagram Protocol (UDP), which allows applications to send data without having to set up a connection first.

Malware and Application Security

Another important part of a wireless security policy is to address malware and application security. This is not something specific to wireless networks, but rather relates to IP mobility. With IP mobility, users can access the network from anywhere, including unsecure hotspots and networks. As a result, they could potentially return to the enterprise network with all manner of malicious software on their devices. Traditionally, malware and virus control was stringent within the network through strong perimeter controls such as firewalls, proxies, and antivirus servers. Now, however, user mobility defeats the static perimeter protection, so other methods are required to mitigate the malware risk.

To help mitigate the risks borne of mobility, various “health checks” can be built into the process of connecting to the enterprise network. This is especially important when mobile clients connect inside the perimeter after having connected to unknown and untrusted outside networks. Some examples include the following:

•  Client integrity control—This is a client device application that checks for compliance with network policy—for example, by checking for valid antivirus software, revision, and scan dates.

•  Network-based services—This is a network element that sends traffic through antivirus servers and intrusion detection/protection systems. This component of Network Access Control (NAC) is particularly useful when a client device does not support client integrity control. This could include voice handsets, printers, scanners, and even customer or guest wireless laptops and phones.

•  Mobile device management (MDM)—This is the control system that allows a network administrator to manage individual devices. This caters to both individual and corporate devices and the ability to set corporate policy.

•  Mobile application management (MAM)—This focuses on applications rather than on the control of the device. MAM is particularly useful with regard to OS and software versions that may be vulnerable, as well as antivirus and application wrapping.

User Segmentation

Not all users are created equal—and not all should have the same level of access. In fact, the best policy on user access is, “when in doubt, deny.” This may seem harsh, but it’s a simple matter to grant access to people who actually need it, and any aggravation they may display will quickly subside once they have access. On the other hand, problems caused intentionally or unintentionally by a person with too much access could have lasting consequences. That’s where segmentation comes in.

Generally speaking, there are two types of segmentation:

•  Internal user segmentation—This is most often accomplished via virtual local area networks (VLANs).

•  External user segmentation—This is most often achieved with either a wireless connection outside the corporate firewall that allows direct access to the public Internet or a VLAN that provides direct access to the Internet.

Virtual Local Area Networks

A VLAN is one way of isolating visitor traffic and confining it to only external, untrusted areas. A VLAN is a Layer 2 technique whereby the network designer logically segregates traffic, assigning it to a specific VLAN using some identifier. A typical scenario involving the use of VLANs is when there is a mixture of employees in an open-plan office—for example, a single access point serves employees in the sales, finance, and engineering departments along with some visitors. On a wired Ethernet network, this would be a straightforward design. The designer would simply assign each port supporting a sales employee to the sales VLAN, each port supporting an engineering employee to the engineering VLAN, and so on. With wireless, there is no port, but there is another way to identify employees: by assigning them different service set identifiers (SSIDs). By creating an SSID for each department—sales, engineering, and finance—and then pairing that SSID with a VLAN, the designer can segregate the traffic into separate VLANs, which are Layer 2 broadcast domains.

The key to using a VLAN as a security mechanism is utilizing access control lists (ACLs). When a client is assigned to a VLAN, all packets coming from that client are tagged with the VLAN number (called 802.1Q tagging or VLAN tagging). An ACL is a simple lookup list that allows access to certain services. Access to restricted areas can then be controlled via the ACL. From a scalability standpoint, this works very well in large networks because VLAN association spans physical switches.

Using this method, a client authenticates via RADIUS. As part of this authentication process, each client is assigned to a particular VLAN based on the credentials used during authentication. Once assigned to a VLAN, all packets originating from that client are tagged with the VLAN ID. Whenever a client attempts to access an area of the network or use some network service or protocol, the VLAN tag is matched against the ACL for that particular area (usually a port on a switch) or service. If the VLAN is allowed access, the service is granted. If not, it is blocked.

Guest Access and Passwords

In larger organizations there is typically a need (and an expectation) for providing guest access on the wireless network. There are several options available for granting such access. These include the following:

•  Open access—With open access, guest access is available to anyone who can receive the wireless signal. Open access is the most common approach. It essentially requires no management or provisioning once set up. With this approach, the guest Wi-Fi offers a direct connection to the Internet. If there is a need for a secure connection, users are responsible for securing their connections via a VPN.

•  Common guest password—This is low-security method that enables all visitors to share a well-known password for user authentication. A common guest password is a good compromise. It allows a secure wireless connection for guests. The password may or may not change on a regular basis. From a management perspective, the key to using a common guest password is to change it often—perhaps even daily—to ensure that it does not become common knowledge. If it does, it’s no better than open access. This approach requires some ongoing management but generally does not create a significant burden on support teams.

•  Provisioned guest access—This method requires that each guest be given a unique, time-limited password. This method provides the best security but is the most inconvenient to set up and manage. Because it’s resource-intensive, this approach is rarely used for general guest access in corporate settings where there are a lot of transient guests. It is a good option, however, for “permanent guests” such as on-site contractors or partners or in especially secure environments where all activity must be monitored. Hotels also make good use of this feature, using the guest name and room number, which are easily tracked and tied to the length of stay.

Each of these options has its pros and cons. There is generally no right or wrong way of providing guest access, as long as it meets the needs of the organization and its guests.

Demilitarized Zone Segmentation

Another popular way to secure visitor access is by placing visitors on their own demilitarized zone (DMZ) segment or VLAN. In this context, DMZ describes an area between the Internet and the corporate network. It enables Internet users to access corporate public services such as Web servers and external e-mail and Domain Name System (DNS) servers. By placing these public-facing servers in a designated security area, the designer allows access from the Internet to these exposed Web servers and services. The designer does this by allowing incoming Hypertext Transfer Protocol (HTTP), Hypertext Transfer Protocol Secure (HTTPS), Simple Mail Transfer Protocol (SMTP), and DNS external requests through the external Internet firewall destined for the Web servers, but denying any other incoming traffic. Placing the inner corporate network behind another more secure firewall interface allows for external communication to public-facing servers but blocks all other incoming traffic, thereby restricting Internet-originated traffic to the DMZ zone.

Traffic originating on the guest wireless network should pass through a firewall before entering the corporate network via the Ethernet distribution medium. Therefore, a logical place to locate a visitor access point is within the DMZ. Visitors can connect to an access point located on the DMZ subnet. From there, they can easily access the company Web site and gain unrestricted access to the Internet while being blocked from the inner corporate LAN.

Another popular method, depending on the firewall architecture, is to place the visitor Wi-Fi network on its own Wi-Fi DMZ subnet. This is particularly appealing if the DMZ uses public IP addressing or hosts strict outbound traffic rules. By placing the visitor wireless network in the DMZ, the designer can ensure visitors still gain unrestricted access to the company Web site and the Internet beyond.

Managing Network and User Devices

In addition to controlling network access and protecting data, larger organizations must also deal with the management of network (infrastructure) and client (user) devices. Unlike smaller organizations, where the IT staff (or an IT person) may know everyone in the company by name, this is often not the case in larger organizations. Most users are unknown. In addition, the sheer volume of users—plus the fact that many people now have multiple devices that connect—puts extra strain on the IT and security teams. This section focuses on the management of both network and user devices in the context of large or complex organizations.

Simple Network Management Protocol Version 3

Simple Network Management Protocol (SNMP) is an Application Layer protocol used to provide a message format for exchanging information between a network management system (NMS) and a host agent. An access point will support SNMP alerts. In addition, if an agent message information base (MIB) is installed and enabled, it will be able to send information about network status back to an NMS. These alerts, or traps, will contain information such as interface status, authentication errors, lost neighbors, and any other significant network event that the NMS should be alerted to right away. The NMS also interrogates the agent MIB by polling the MIB at regular intervals. The MIB is a hierarchal database for storing all sorts of network information such as interface throughput, packet loss, latency, and jitter, among other operational data.

SNMP version 3 is the only version of SNMP that supports robust security. Therefore, it must be the only version supported on the network. The security features in SNMP version 3 are as follows:

•  Message integrity—SNMP version 3 uses a hash code to ensure that packets have not been tampered with.

•  Authentication—SNMP determines that the message is coming from a valid device.

•  Encryption—SNMP scrambles the message to hide it from a possible eavesdropper.

SNMP version 3 uses SNMP server groups rather than communities. The administrator must configure the server group to authenticate for members specified in a named access list.

While SNMP version 3 is secure, SNMP version 2 is common on older access points and will still work in a mixed environment. Ideally, all devices should be configured through firmware upgrades to support the more secure SNMP version 3.

Discovery Protocols

Several discovery protocols are essential for wireless networks to work efficiently, especially in lightweight access point/controller implementations or where VoWLAN is a design consideration. Unfortunately, however, discovery protocols can be problematic with regard to security. This is because the same information that is useful to an administrator or authorized technician is also very useful to unauthorized intruder.

Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP) are the two main discovery protocols enabled on Layer 2 networks. Both of these protocols provide a means to discover neighboring devices and map a network. The information exchanged between devices can be invaluable to a technician troubleshooting a network. Similarly, it is of great value to an intruder mapping the network and looking for vulnerabilities and paths to servers. In addition, other network and service discovery protocols are considered security risks. Universal Plug and Play (UPnP) is one, as are the IPv6 Neighbor Discovery Protocol (NDP) and the Web Proxy Autodiscovery Protocol (WPAD).

IP Services

Modern autonomous access points come enabled with a suite of IP services such as HTTP for accessing an internal Web configuration and administration portal. Other common IP services that are available include the following:

•  DHCP server—DHCP enables automatic configuration of an IP address, DNS server address, and default gateway address.

•  SSL certificate management service—This provides support for SSL trust certificates used in Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) for authentication.

•  Network Time Protocol (NTP)—NTP is used to automatically adjust the time to a reference NTP server clock.

•  Quality of service (QoS)—QoS settings provide a technique for prioritizing traffic and assigning a QoS value to each protocol. It is commonly implemented where voice and video applications are present.

•  VPN—These IPSec-type VPNs are used to secure remote access or inter-bridge connections in peer-to-peer configurations.

Most of these services are valuable tools for the network administrator, but some can create security issues if not implemented correctly. NTP, DNS, and DHCP are extremely useful tools for both administrators and potential attackers. Both NTP and DNS request or receive updates from external NTP/DNS servers. An attacker can easily spoof the access point’s IP address and place numerous NTP/DNS update requests. The Internet servers will respond to the requests by sending far larger response packets to the spoofed address, thereby amplifying the attack, which will result in a denial of service.

DHCP is an extremely efficient and convenient tool for dynamically assigning and managing a client’s IP address and default network configuration. However, if enabled on an access point with the basic default setting, it will hand out a valid IP and network configuration to any client that manages to get a Layer 2 association and broadcasts for a DHCP server. The access point’s built-in DHCP server will simply respond with the Layer 3 credentials requested, and the client will have full network connectivity. This is why it is best to consider authenticated DHCP.

Coverage Area and Wi-Fi Roaming

In addition to requiring more robust methods of authentication and encryption, large networks differ from their smaller counterparts in other ways that must be addressed. The most obvious of these is basic architecture. For instance, in large organizations, the network topology is based on the extended service set (ESS) as opposed to a single access point. The ESS may incorporate the aggregation of many basic service areas across some part of or the entire organization. This extended network area may share an SSID or have different SSIDs, and it may or may not support seamless roaming of users throughout the organization. Therefore, a logical starting point for considering advanced wireless security is at the physical design and layout of the network architecture.

Large-scale wireless network design consists of an external service set, which is made up of a collection of access points sharing a common distribution medium such as 802.3 Ethernet. The most common design is to have overlapping coverage areas so the network can support seamless roaming. To support roaming, the designer must specify overlapping access point coverage of at least 15 to 25 percent. Therefore, access point coverage area (which is directly related to radio frequency signal strength) is a key consideration.

Not all networks require seamless roaming, however. Indeed, in some security applications, it may be undesirable. In these cases, coverage will be driven by a need to ensure segregation and minimal overlap in coverage. Wireless roaming with this model is termed nomadic roaming, as the user’s connection is lost and then re-established when crossing over the access point boundaries. A common deployment of nomadic roaming is when different security policies are applied to different network areas. Segregated, non-overlapping coverage forces the user to disconnect and then attempt to reconnect using the new security criteria when entering a new area.

A third topology is to use collocation, which is a fully overlapping access point used to increase capacity. Once again, however, coverage area must be taken into consideration to maximize the advantage.

A newer topology that was introduced into the standards with the 802.11s-2011 amendment defines the mesh basic service set (MBSS). In mesh mode, access points act as bridged trunks that link with other mesh mode access points to backhaul traffic from the network back to a distribution medium portal or gateway, which is typically connected directly to an Ethernet switch. MBSS is a common design in larger networks, which have areas inaccessible to wired connectivity. An example could be a campus with several buildings that are linked together via wireless bridge trunks and backhauled to the main building’s Ethernet network.

Whichever wireless topology is deployed, it is essential that access point coverage be diligently undertaken and that overlap exist to cater to either seamless or nomadic roaming. Controlling access point coverage area is not just a performance factor, it is essential as a security measure, as it limits the network footprint and potential area of access to an intruder. As with SOHO designs, the following steps should be taken to ensure there is sufficient coverage, signal strength, and capacity, and that the radio signal does not leak beyond the organization’s boundaries:

•  Power should be turned down.

•  Access points should be placed in optimal locations for radio frequency (RF) coverage.

•  The correct antenna type should be used.

Access point coverage area, roaming, RF power, interference, and leakage should be part of any initial site survey. In addition, any future expansion projects should incorporate a further limited RF survey to ensure the correct design.

Client Security Outside the Perimeter

Securing the user’s wireless device—whether it be a laptop, smartphone, or tablet—is an important step, particularly because today’s network infrastructure has altered radically from legacy networks. Previously, a large network was designed with a hard perimeter to defend against external threats but little in the way of internal defense, allowing for easy access for insiders. The rationale was that the network’s hard exterior protected against real threats from the outside; inside, users posed a much lower risk. This concept is often referred to as an M&M design, in reference to an old ad campaign that claimed M&M candies were “crunchy” (hard) on the outside and “chewy” (soft) in the middle.

Experience has taught security professionals that this approach is problematic, and that both interior and exterior threats should be considered equal. One thing the M&M design did do well, though, was protect static devices such as PCs and servers from virus contaminations. It succeeded in protecting the inner network from contagions by having robust antivirus (AV) and intrusion protection systems that actively monitored traffic entering the network. By using deep packet inspection and recognizing attack signatures, the AV and IPS applications acted as gatekeepers that sterilized and quarantined suspect files and e-mail attachments. All traffic entering or leaving the network’s perimeter gateways went through AV, IDS/IPS, content URL filters, Web proxies, and application and Web firewalls. In this way, the traffic was kept free of viruses, worms, Trojan horses, rootkits, and all manner of nasty malware circulating the Internet. Any contagion that did make it through—typically brought into the network via external hard drive or USB thumb drive—was easily contained and removed by the client host’s AV and IPS.

The M&M perimeter security design worked well for many years because PCs and servers stayed behind the walled defenses and traffic flowed over predetermined links and entry and exit points on the network. Unfortunately, that legacy design is no longer viable. Devices are not hidden behind fortified network walls, but freely traverse the boundaries on a daily basis. In doing so, a device is exposed to threats from the outside world, like a thumb drive picking up all sorts of malware before being brought once more into the corporate network. However, a contaminated thumb drive would be scanned and cleaned as soon as it was plugged into a client network device. In contrast, a contaminated mobile phone, tablet, or other device connects to the network through its own interface. Moreover, if the device is not company owned, it might not comply with corporate security policy and may not have AV software installed, let alone an approved vendor and version.

For this reason, client security in wireless networks is an important aspect of overall network security and defense in depth (although defense in depth was developed and put into practice in many networks before mobility and Wi-Fi were major considerations). There must be a policy for allowing user devices to access the network, but at the same time, these devices must comply with best security practices. Therefore, it is vital that the security policy address these issues and that methods to police compliance be put in place. Typical mechanisms to enforce policy are MDM and MAM, which have become standard practice in today’s modern IP mobile networks. The security measures in place for a company laptop should be no more or less stringent than those for a user’s wireless-enabled portable device, whether that is a laptop, smartphone, tablet, or PDA.

As discussed, client device security is important due to the changing network architecture within a large or risk-averse organization. No longer are wireless networks merely extensions of the wired corporate network or overlays for the convenience of guests. They are now an integral part of the network. Indeed, WLANs and supporting client devices have become ubiquitous within the corporate network. What is more, they are being configured for seamless roaming and IP mobility. The coming together of the once-maligned wireless network and the client’s wireless and mobile devices has produced a disruptive technology that has transformed the design of SME networks.

Device Management and Use Logons

In a complex organization, there are bound to be many users, each with different levels of access to different systems and areas of the network, all requiring some set of credentials to be presented prior to access. Multiply this by however many different devices each employee has (which, of course, they will want to be able to connect from), and you run into a big problem. This topic is described generally as identity and access management (IAM).

The answer to this problem is single sign-on (SSO). Using SSO, users can enter their credentials one time to gain access to all network services and locations to which they are authorized to connect, without having to log in to each one individually. What’s more, this SSO function works with all of a user’s devices, including laptops, tablets, and smartphones. This also means the same wireless credentials, such as SSID, username, and password, should be available to users in all locations that they may visit, including their homes. Using SSO allows the security team to control access to sensitive data or systems by challenging users rather than the device alone. In the era of BYOD, this greatly reduces the management burden of tracking an ever-changing array of laptops, tablets, and phones in favor of allowing access based on user credentials.

SSO is often presented as a positive from a security standpoint because theoretically, a person can be removed from all access with one action. This is not always the case, however. If high security standards are maintained (user education and requirements for strong passwords, for example), then SSO can enhance security. However, if poor standards are maintained, then SSO can be a detriment to security because a single compromised device or cracked password yields far greater access. In this context, SSO, like many other tools, will be a reflection of the company’s overall security posture, given that any poorly managed process or tool can be taken advantage of.

When implementing or allowing SSO, security teams should also establish a best practice of verifying that all accounts have been closed for removed users rather than just deleting the SSO capability. Failing to do this could result in orphaned accounts that can still be accessed directly.

In sum, SSO is a good solution from a convenience standpoint, and some view it as a security measure. A better way to view SSO is as a magnifier of internal security capabilities. If internal security is strong, SSO can enhance it. If internal security is shoddy, SSO can actually increase the organization’s risk profile.

Hard Drive Encryption

Encrypting data on client devices adds another layer of security. However, this should be done with caution. One of the most common causes of lost data is users forgetting their password on hardware-encrypted devices. Because encryption is designed to be irreversible, this essentially turns the device into an expensive paperweight.

For data in motion, protocols such as HTTPS and SSL will secure Web-based applications. VPNs work well for protecting non–Web based data in motion. However, should the mobile device be lost or stolen, data that resides on the device will be vulnerable. There are several ways to protect the data in this scenario. One is to have a master access password that the user must enter to gain access to the device. This prevents access to the data without encryption. Another method—usually used in conjunction with the master password—is hard drive encryption. Yet another option is to store all files on a protected server and access them remotely. There are several good commercial options for this, such as Dropbox and Box. Some companies have also created internal versions of these services.

One twist with respect to hardware encryption is a recent scheme in which hackers take control of a device and encrypt its hard drive. The hacker then blackmails the owner of the device, attempting to extort cash in exchange for the encryption key that will unlock the data. An example of this is a scam called CryptoLocker, which has had some success. Although it turned out not to be permanent, it was still distressing for many people. This is all the more reason to ensure that users are trained on security matters. They should know to always connect via a secure method and not to download apps from suspicious Web sites.

Quarantining

An important feature of most device management and access control systems is the ability to quarantine noncompliant devices and limit their access to the network. Quarantining is a form of Network Access Control (NAC) that allows some level of access—typically guest access—if certain parameters are not met, such as antivirus patches. By setting device profiles, an administrator can ensure that each device must match a minimum set of criteria (for example, making sure all patches are up to date) before allowing a device full access to the network. Any device that fails the compliance check will be relegated to a quarantined section of the network.

CHAPTER 8 ASSESSMENT

1. For larger networks or campuses, centralized control greatly simplifies design and tends to work better due to the time savings offered with regard to maintenance.

A. True

B. False

2. Which of the following KPIs is unaffected by the use of Voice over IP (VoIP) or Voice over WLAN (VoWLAN)?

A. Packet loss

B. Latency

C. Jitter

D. Security

E. Availability

3. Wi-Fi guest access can include which of the following types of access?

A. Open access

B. Common password

C. Provisioned password

D. No guest access allowed

E. All of the above

4. Extensible Authentication Protocol does which of the following?

A. Protects authentication credentials

B. Can be used over a LAN to securely connect to a RADIUS server

C. Is independent of the authentication method used

D. All of the above

5. Discovery protocols are great for IT personnel, but are also useful to hackers; for this reason they should be limited and carefully controlled.

A. True

B. False

6. The RADIUS server is a central repository for all the authentication data and can issue the success or fail notifications. However, the access point still needs to know the client’s authentication credentials.

A. True

B. False

7. Which of the following versions of SNMP offer protection in the form of encryption?

A. SNMPv2

B. SNMPv3

C. Both SNMPv2 and SNMPv3

D. Neither SNMPv2 nor SNMPv3

8. IPSec is a very secure protocol suite that’s easy to implement with a shared secret.

A. True

B. False

9. Assignment to a VLAN can be determined through the authentication process when joining a network.

A. True

B. False

10. Which of the following are true about SSO? (Choose all that apply.)

A. Users need to remember only one password.

B. It makes a network more secure.

C. It makes a network less secure.

D. It reduces the management burden of IT.

E. It can enhance security on a well-run network or worsen security on a poorly run network.