420 likes | 430 Views
Learn about essential wireless LAN security policies, password guidelines, user training, and infrastructure management. Understand the importance of asset management, change programs, and security checklists. Ensure consistent implementation for a secure wireless environment.
E N D
NETW 05A: APPLIED WIRELESS SECURITY Functional Policy:Guidelines & Baselines By Mohammad Shanehsaz
Objectives • Explain the purpose and goals of the following wireless LAN security policies: • Password policy • User training • On-going review ( auditing ) • Acceptable use & abuse policy • Consistent implementation procedure • Centralized implementation and management guidelines and procedures
Objectives • Explain necessary items to include in the creation and maintenance of a wireless LAN security checklist • Describe and recognize the importance of asset management and inventory procedures for wireless LANs • Explain the importance of including wireless LANs in existing change management programs
Functional policy • Policy Essentials • General Guidelines • Baseline practices
Policy Essentials • Every security policy should implement the following topics : • Password policies • Networking staff and end user training requirement • Acceptable use • Consistent implementation / staging procedures • Readily available implementation and management procedures • Regular audits and penetration tests by independent professionals
Password policies • Passwords are the most widely used method of authentication and authorization; however there are number of ways to compromised it such as : • Eavesdropping • Dictionary attack against a network authentication server • Borrowing a user password • Easy to guess password • Getting it from users who leave them out in the open ( the sticky note approach )
Practicing good password procedures • Use a password that is mixed case, has punctuation, and uses alpha and numeric digits • Use something that can be remembered without being written down • Force periodic password changes • Lockout accounts after 5 unsuccessful login attempts • Make sure all passwords are at least 8 characters in length • Do not allow passwords to be reused
Networking staff and end user training • Network staff responsible for wireless LAN security need to understand many subject areas including intrusion techniques, wireless security policy, and solutions, in addition to having a solid grasp on basic wireless LAN functionality and technology. • End user must have adequate training in order to properly implement security controls on their computers and that it only takes one person not following policy to create a large security hole that can be exploited by an attacker
Acceptable use • Wireless LANs are a half-duplex medium, therefore bandwidth intensive applications such as FTP, peer-to-peer file sharing, and streaming video should only performed over the wired LAN, otherwise it may cause DOS on APs with many stations • To prevent this, there should be a section in the policy regarding acceptable use of the wireless LAN that define what scenarios constitute proper use as well as abuse
Consistent implementation / staging procedures • It is common for a network administrator to place a wireless LAN infrastructure device onto the network without having first staged and configured the device to meet the organization’s security policy, which is in effect like placing a rogue AP on the network, to battle this problem guidelines on how and when to stage and install devices should be part of functional policy
Readily available implementation and management procedures • It is important that network administrator have the information provided by the company security policy readily available so that they verify procedural steps while performing their daily tasks
Regular audits and penetration tests by independent professionals • In order to find security holes internal and external audits are a necessary part of wireless network security • Internal audits will usually find most policy violation, but holes in security solution will usually require employing an independent wireless security professional • It should be done unannounced
General Guidelines • Wireless network segments should always be treated as unsecured means of data transit • Follow the following rules when passing data wirelessly : • Encrypt email • Use HTTPS for web logins where possible • Use SSH2 instead of telnet where possible • Use secure FTP (SSH2 or SSL) for file transfers • Verify the latest operating system updates or service packs are installed
Security checklist • It is advisable to make security checklists for use by network administrators that includes the following items: • Access point and bridge configuration settings • Client-side software installation and settings • Physical security when mounting access points and bridges • End user security solution training
Available Network Resources • Since wireless LANs present security risk, that added risk may be significantly reduced by eliminating the availability of certain services to wireless segment
Asset Management • Since enterprise class wireless LAN hardware can be quite expensive and since much of it is very small and lightweight, this equipment can be easily stolen if not secured, for this reason it is necessary to record all the wireless hardware for periodic inventory, and employee should be required to sign for the hardware they receive
Periodic Inventory • It is a good practice to periodically check infrastructure devices to make sure they are both present and are the correct unit • In large organizations, this type of inventory might be impossible, so other solutions might have to be implemented
Change Management • Wireless LANs should be a part of the existing corporate change management procedures • There are two things to consider: • First the security policy itself should be periodically evaluated for relevance and modified when necessary • second once a secure wireless is in place, any changes to it should be documented and approved by corporate authorities
Spot-checks & Accountability • Some of the most effective methods for ensuring properly implementing wireless LAN security may include: • Thoroughly training end-users • Spot checking for internal policy adherence • Tying adherence and enforcement of policy to departmental compensation
Baseline practices • SSIDs • MAC filters • Static WEP • Default Configuration settings • Firmware Upgrades • Rogue Equipment • Outdoor Bridge Security • RF Cell Sizing • SNMP Community Strings
Baseline practices continue • Discovery protocols • Remote Configuration • Client Security • IP Services • Switches vs. Hubs • Staging and Testing • Equipment Installation
SSIDs • The default SSID should be changed on all access points, to something cryptic and not something that could be used to determine the company to whom the AP belongs • By default an AP broadcasts SSID, by not broadcasting SSIDs in beacons “Closing the system “ prevents intruders from passively locating the network
MAC Filters • MAC address filtering is another method by which the IEEE 802.11 task group attempted to secure wireless networks, traffic is allow or deny based on MAC address • It is both simple and common for a hacker to spoof the MAC address of another NIC
Using Static WEP • Static WEP may be appropriate for SOHO environment, but not for enterprise WLAN • When implemented the largest key size available that is supported by the hardware should be used • When static WEP is used, strong keys should be created that are unrelated to the following: • Organization’s name, address, or phone number • Wireless LAN’s SSID • Access points’or bridges’ model number(s) or manufacturer’s name • Manufacturer default WEP keys
Default Configuration settings • The default configuration settings on all APs should be changed, since an infrastructure reconfiguration attack can occurs if an attacker obtain management access • To prevent attack the default username and password should be changed on all infrastructure devices
Firmware Upgrades • Firmware upgrades can provides new security functionality as well as bug fixes or security patches • Firmware should be upgraded for the following devices: • Access points • Wireless Bridges • Client devices • Client or Workgroup Bridges • Enterprise Wireless Gateways • Enterprise Encryption Gateways
Firmware Upgrades • It is a good practice to test end-to-end functionality in a lab environment prior to rolling it out enterprise wide • Firmware upgrades are suggested in order to gain the following features: • TKIP (or similar key rotation protocol) support • Kerberos support • 802.1X/EAP(-TLS,-TTLS,-LEAP,-PEAP)support • WPA compliance • Advanced Encryption Standard (AES) support • VPN support • Rogue access point detection • RADIUS or LDAP support • Role-based access control
Rogue Equipment • Anytime rogue equipment is present in a network, the incident should be considered a serious breach of network security • Eliminating rogue wireless equipment is a multi-step process which includes: • Setting Corporate Policy Regarding Rogue Equipment • Network Administrator Training • Help Desk & End User Training • Intrusion Detection Systems & Audits
Outdoor Bridge security • Outdoor WLAN bridge links may often span miles, this can allow an intruder the opportunity to remain undiscovered • Bridges may act as both a bridge and an access point simultaneously, if possible client connectivity at the bridge should be disabled • Clear text transmission should not be allowed to pass between bridges at any time. • Wireless bridge installation can be compromised through rogue bridges
Outdoor Bridge security • Wireless bridge installation can be compromised through rogue bridges, which can be placed onto the network at a range of several miles • To overcome this a good security must be chosen and implemented
RF Cell Sizing • Accurate cell sizing can aid in preventing war drivers from being able to locate your network • You can limit cell by reducing the output power of the access points and antennas • After WLAN configuration administrator should attempt a footprint analysis to determine how easily the network can be targeted using omni and directional antennas
SNMP Community Strings • SNMP community strings should be changed or disabled, because default read and write passwords are clearly documented in users manual • Disable SNMP access if it will not be used, if used set the read and write community strings to complex, non-default values that are not related to network’s SSID, WEP, or organizational information • Disable SNMP access from outside by using ACL or firewall filtering
Discovery Protocols • When discovery protocols (such as CDP) are not in use they should be disabled
Remote configuration • If manufacturer feature sets allow for it, configure APs and bridges so that they cannot be configured over wireless network segment, to prevent compromising authentication information, unless the wireless link is encrypted
Client Security • Wireless security policy should limit any sensitive data on the client machines that could damage the organization • Shared folders should be limited or even prohibited on wireless client machine • Using corporate PCs without protection on public access wireless networks are prohibited • There are many tools such as personal firewalls, VPN technologies such as, IPSec, that can be used to protect wireless clients • Make sure that clients don’t use unsecured wireless AP to VPN to corporate network
IP Services • First step in securing IP services is to heighten general awareness of the possibility of rogue IP services such as DHCP servers. • Use data-link security mechanisms such as 802.1X/EAP solution to authenticate user prior to receiving an IP address • Earmarking IP ranges for WLAN segment is another way to speed location of hacker and to ease network management
Switches vs. Hubs • Using switches to connect to the wired segment has the following benefits: • Support for security and network management tools such as VLANs • Support for 802.1q VLAN tagging • SSIDs are tied to VLANs as means of logically separating groups of wireless users • Allows for segmented network design and secure management over a particular VLAN • Allows for full-duplex connectivity . Hubs broadcast every frame to all ports, so hacker can see all the traffics
Staging and Testing • Staging and testing should occur prior to deployment, wireless infrastructure devices should be staged and configured in an isolated environment for a secure deployment • Administrator should use approved security configuration checklists to assure that no security holes are created due to lack of following configuration procedures
Equipment Installation • To prevent theft of wireless network equipment, devices should be: • Mount out of reach • Bolted down or secured in locked steel boxes • Kept out of plain site
Summary • Guidelines and baselines of the functional policy was discussed • Policy cover password policies, training, usage, implementation and staging, procedures and audits • General guidelines cover the security checklist, available network resources, asset management, change management, and spot-checks and accountability
Summary • Baseline practices consist of several strategic areas such as a basic SSID changes, MAC filtering inadequacies, WEP versus EAP/802.1x solutions, detecting rogue equipment, and wireless bridge security, that must be considered when implementing the wireless LANs
Resources • CWSP certified wireless security professional, from McGrawHill