In this section, we will begin to tie all the components together that ensure a successfully secured wireless network implementation. The previous sections introduced terminology, provided history, and set the stage for the recommendations presented in this section. We will discuss the recommended configuration for an enterprise wireless implementation including wireless signal leakage, client configuration, encryption, authentication, using certificates, and other security considerations.
An important element of wireless network implementation is signal strength and limiting signal leakage. The wireless signal must be strong enough to provide the coverage necessary to be useful. However, it's range must also be limited to ensure the wireless signal is not reachable too far from the physical boundaries of the enterprise. There are many reasons to attempt striking the balance of signal strength and limiting the range. These include security, availability, and courtesy for close-by businesses. This section will cover considerations for wireless signal configuration.
Implementation of the wireless network should include a spectrum analysis to not only ensure proper coverage, but to ensure the network does not extend too far beyond the physical boundaries of the enterprise buildings. There will be some level of leakage but it should be minimized for security and interference, as both can have undesirable effects on the wireless network implementation. When the wireless signal leaks too far from the intended area(s) it becomes more susceptible to attacks, as the network becomes known easier from farther distances and this distance factor is a benefit for attackers who do not need to be in close proximity to the enterprise to attack the wireless network. This reduces the likelihood of apprehension and overall risk for attacking the network. Interference is another side effect of too much leakage, though this is more of an issue if other wireless networks are operating in the same airspace and on the same channels. It is advisable to limit wireless network overlap and leakage for increased security and performance.
Wireless network range can be affected by the type of antennas used to provide the necessary coverage and will be influenced by the environment in which the network is being broadcast. The two most common antenna types are directional and omni-directional, both have their use and can be used together to gain the best coverage and limit signal leakage. An example is a wireless network broadcast in an environment with a glass front building. Omni-directional antennas may be used deeper in the building and directional antennas used near the glass front broadcasting inward to provide strong coverage internally while limiting the signal through the glass front.
An assessment of how the wireless network will be used should be conducted to best determine what types of antennas to use and placement within the enterprise. Generally speaking, directional antennas will be able to cover greater distances, while omni-directional antennas are great for localized saturation of wireless signals. Another example of when a directional antenna would be preferred is building-to-building signal transmission. Two buildings with direct line of sight can use directional antennas to extend the network using wireless. This method also limits signal leakage, only allowing network connectivity for direct line of sight antennas. There are tools to calculate antenna range, but it is recommended to leverage a wireless specialist for the specific implementation. If you are familiar with antenna theory, then a tool such as the following calculator can be used provided by RadioLabs, Inc.:
With operating system vendors eager to provide ease of use, the wireless card can be configured to auto connect to familiar SSIDs. This feature is convenient, however, when operating systems are configured in this manner wireless connections are established based only on the SSID, not a valid access point. Configuring the enterprise end systems to force a manual connection and authentication to an access point will ensure hosts are not connecting automatically to rogue access points that are possibly malicious without any human intervention.
Another consideration when implementing a wireless network in an existing wired network is dual-homed connectivity. A host with dual-homed connectivity can simultaneously connect to both the wired and wireless networks potentially introducing risk to assets within the wired network infrastructure from the extended access feasible with wireless. Unfortunately, this configuration is permitted by default on most systems and operating systems. Additional configuration is required to limit dual-homed network functionality and force only one live connection type at a time. For example, on Windows-based systems there are a few options such as third-party software, registry edits, and group policies. Of these options, group policy is recommended because the configuration can be centrally managed ensuring consistency across systems and reduced operational overhead.
Tip
Dual-homed network configurations introduce the possibility that a compromise of the wireless network connection could impact the attached wired network. This feature and capability should be disabled. A configuration allowing dual-homed connectivity is a significant security issue especially if other controls are not configured such as mutual AP and client authentication, and network segmentation (firewalls, not access control lists).
The three security implementations for wireless networks, WEP, WPA, and WPA2, have been briefly covered to provide an overview. This book is not meant to be a comprehensive resource on the subject but provides recommendations for securely implementing wireless networks within the enterprise with strong encryption and authentication mechanisms. When these two components are implemented correctly, the threat of man-in-the-middle attacks are mitigated, and both the wireless clients and access points are mutually authenticated ensuring valid clients and wireless network are connecting. Additionally, leveraging the best encryption methods protects all data traversing the wireless network including the initial setup of communications. This was the weakness in WEP, hence the stern position on avoiding its use.
Remember, encryption is the protection method for not only data traversing the wireless network, but also wireless management communications. To date, the best option for encryption on a wireless network is WPA2 with Advanced Encryption Standard (AES) and Counter Cipher Mode Protocol (CCMP) – WPA2-AES/CCMP.All other currently available encryption methods have been proven to have weaknesses that put any enterprise using them at risk of compromise over wireless.
The purpose of authentication is for a person or device to prove who or what they are by using a method such as credentials, certificates, or unique system-specific configuration files. This section provides recommendations based on currently available methods that ensure the most secure wireless authentication implementation to date.
The following are a few authentication mechanisms:
- 802.1X
- Client-side certificates
- EAP-TLS
- Unique system check
WPA2 and 802.1X have been covered, but the additional authentication mechanisms listed require coverage because they require more planning and process to effectively implement. These methods are generally not implemented due to the additional configuration required, but are ultimately the only methods to properly secure a wireless network from common and easy to exploit attacks.
Implementing these technologies together provides the most secure environment. There are dependencies on one or more to work and therefore planning on how to implement is critical for successful implementation. If all methods are implemented, then Public Key Infrastructure (PKI) is a requirement for this type of implementation. If non-existent in the enterprise, this service will need to be designed and implemented securely prior to configuring wireless in this manner. Additionally, some type of authentication system must be implemented such as RADIUS, LDAP, or Active Directory to authenticate users to the wireless network. The authentication of a user can, among other things, determine what VLAN they are assigned to and which resources are accessible via wireless.
The purpose of client-side certificates is to enforce mutual authentication of the client and access point on the wireless network. The certificates must match in the standard way of a public and private certificate so that any impersonation of the client and access point is not feasible. The most common attack on clients is a fake AP type attack where a bogus AP is configured to look legitimate and the client will attempt to authenticate to the fake AP versus the legitimate AP. The outcome being that the attacker running the fake AP can steal credentials as users try to authenticate to the wireless network. In environments with 802.1X, this would compromise the user's network credentials and can be used to authenticate to other hosts on the network. For the typical user their credentials may not have much value, but system and database administrators are high-value targets. The genius of this attack is that it typically goes unnoticed and as the attacker will use valid credentials on other systems, no red flags will be raised as the compromise enters further into the network.
When using certificates for authentication, access to the wireless network will not be feasible without a valid certificate, therefore, even with credential compromise, access to the wired infrastructure will become more difficult removing the attack surface from the wireless network. This requires the attacker to find another method to gain network access. Loss of credentials is serious nonetheless; enforcing mutual authentication mitigates this threat. In this scenario, the certificates provide a pre-authentication service; certificates must be validated prior to any authentication or access to the network.
Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) provides a secure tunnel for authentication, further mitigating the man-in-the-middle attacks against the authentication mechanism, that is RADIUS. Using certificates, a secure tunnel is created for authentication to RADIUS or other authentication services mitigating credential harvesting over the wireless network. Even if credentials are compromised through another method, authentication will be impossible without the client-side certificate.
A method becoming more commonly used to validate enterprise wireless clients is a unique system check that looks for a specific registry entry or service on the authenticating host to ensure it is what it says it is, an enterprise asset. This method is commonly used for VPN access and is now becoming a method for post-authentication checking of the validity and integrity of the system. If these checks fail, then the system is not granted access to the wireless network. Granted these checks can be spoofed, but these checks in additional to the other methods create a significant challenge for attackers. The challenge of accessing the wireless network should deter the most common attacks.