Wi-Fi is
inherently susceptible to hacking and eavesdropping, but it can be
secure if you use the right security measures. Unfortunately, the Web is
full of outdated advice and myths. But here are some do's and don'ts of
Wi-Fi security, addressing some of these myths.
WEP (wired
equivalent privacy) security is long dead. Its underlying encryption can
be broken quickly and easily by the most inexperienced of hackers. Thus
you shouldn't use WEP at all. If you are, immediately upgrade to WPA2
(Wi-Fi protected access) with 802.1X authentication — 802.11i. If you
have legacy clients or access points that don't support WPA2, try
firmware upgrades or simply replace the equipment.
2. Don't use WPA/WPA2-PSK
The pre-shared
key (PSK) mode of WPA and WPA2 security isn't secure for business or
enterprise environments. When using this mode, the same pre-shared key
must be entered into each client. Thus the PSK would need to be changed
each time an employee leaves and when a client is lost or stolen —
unpractical for most environments.
3. Do implement 802.11i
The EAP
(extensible authentication protocol) mode of WPA and WPA2 security uses
802.1X authentication instead of PSKs, providing the ability to offer
each user or client their own login credentials: username and password
and/or a digital certificate.
The actual encryption keys are regularly changed and exchanged silently
in the background. Thus to change or revoke user access all you have to
do is modify the login credentials on a central server, rather than
having change the PSK on each client. The unique per-session keys also
prevent users from eavesdropping on each other's traffic — which is now
easy with tools like the Firefox add-on Firesheep and the Android app
DroidSheep.
To enable the 802.1X authentication, you need to have a RADIUS/AAA
server. If you're running Windows Server 2008 and later, consider using
the Network Policy Server (NPS), or the Internet Authenticate Service
(IAS) of earlier server versions. If you aren't running a Windows
Server, consider the open source FreeRADIUS server.
4. Do secure 802.1X client settings
The EAP mode of WPA/WPA2 is still vulnerable to man-in-the-middle
attacks. However, you can help prevent these attacks by securing the EAP
settings of the client. For instance, in the EAP settings of Windows
you can enable server certificate validation by selecting the CA
certificate, specify the server address, and disable it from prompting
users to trust new servers or CA certificates.
You can also push these 802.1X settings to domain-joined clients via
Group Policy or use a third-party solution, such as Avenda’s Quick1X.
5. Do use a wireless intrusion prevention system
There's more to Wi-Fi security than combating those directly trying to
gain access to the network. For instance, hackers could setup rogue
access points or perform denial of service attacks. To help detect and
combat these, you should implement a wireless intrusion prevention
system (WIPS). The design and approaches of WIPSs vary among vendors,
but generally they monitor the airwaves looking for, alerting you to,
and possibly stopping rogue APs or malicious activity.
There are many commercial vendors offering WIPS solutions, such as
AirMagnet and AirTight Neworks. There are also open source options, such
as Snort.
6. Do deploy NAP or NAC
In addition to 802.11i and a WIPS, you should consider deploying a
Network Access Protection (NAP) or network access control (NAC)
solution. These can provide additional control over network access,
based on client identity and compliance with defined policies. They can
also include functionality to isolate problematic clients and
remediation to get clients back within compliance.
Some NAC solutions may also include network intrusion prevention and
detection functionality, but you'd want to make sure it also
specifically provides wireless protection.
If you're running Windows Server 2008 or later and Windows Vista or
later for the clients, you can use Microsoft's NAP functionality.
Otherwise, you may consider third-party solutions, such as the open
source PacketFence.
7. Don't trust hidden SSIDs
One myth of wireless security is that disabling the SSID broadcasting of
APs will hide your network, or at least the SSID, making it harder for
hackers. However, this only removes the SSID from the AP beacons. It's
still contained in the 802.11 association request, and in certain
instances, the probe request and response packets as well. Thus an
eavesdropper can discover a "hidden" SSID fairly quickly — especially on
a busy network — with a legitimate wireless analyzer.
Some might argue disabling SSID broadcasting still provides another
layer of security, but also remember it can have a negative impact on
the network configuration and performance. You’d have to manually input
the SSID into clients, further complicating client configuration. It
would also cause an increase in probe request and response packets,
decreasing available bandwidth.
8. Don't trust MAC address filtering
Another myth of wireless security is that enabling MAC address filtering
adds another layer of security, controlling which clients can connect
to the network. This has some truth, but remember that it's very easy
for eavesdroppers to monitor the network for authorized MAC addresses
and then change their computer's MAC address.
Thus you shouldn't implement MAC filtering thinking it will do much for
security, but maybe as a way to loosely control which computers and
devices end-users bring onto the network. But also consider the
management nightmare you might face to keep the MAC list up-to-date
9. Do limit SSIDs users can connect to
Many network administrators overlook one simple but potentially
dangerous security risk: users knowingly or unknowingly connecting to a
neighboring or unauthorized wireless network, opening up their computer
to possible intrusion. However, filtering the SSIDs is one way to help
prevent this. In Windows Vista and later, for example, you can use the
netsh wlan commands to add filters to those SSIDs users can see and
connect to. For desktops, you could deny all SSIDs except those of your
wireless network. For laptops, you could just deny the SSIDs of
neighboring networks, enabling them to still connect to hotspots and
their home network.
10. Do physically secure network components
Remember, computer security isn't just about the latest technology and
encryption. Physically securing your network components can be just as
important. Make sure APs are placed out of reach, such as above a false
ceiling or even consider mounting APs in a secure location and then run
an antenna to an optimum spot. If not secured, someone could easily come
by and reset an AP to factory defaults to open access.
12. Don't forget about protecting mobile clients
Your Wi-Fi security concerns shouldn’t stop at your network. Users with
smartphones, laptops, and tablets may be protected onsite, but what
about when they connect to Wi-Fi hotspots or to their wireless router at
home? You should try to ensure their other Wi-Fi connections are secure
as well, to prevent intrusions and eavesdropping.
Unfortunately, it isn’t easy to ensure outside Wi-Fi connections are
secure. It takes a combination of providing and recommending solutions
and educating users on the Wi-Fi security risks and prevention measures.
First, all laptops and netbooks should have a personal firewall. Next,
you need to make sure the user’s Internet traffic is encrypted from
local eavesdroppers while on other networks by providing VPN access to
your network. If you don't want to use in-house VPN for this, consider
outsourced services such as Hotspot Shield or Witopia. For iOS (iPhone,
iPad, and iPod Touch) and Android devices, you can use their native VPN
client. However, for BlackBerry and Windows Phone 7 devices, you must
have a messaging server setup and configured with the device in order to
use their VPN client.
Source:NetworkWorld.com
0 comments:
Post a Comment