Touchdown – Enterprise WLAN security has arrived

White paper
June 2009

By Rishi Chadeesingh
Senior Associate Director,
Wireless Solutions Team, Enterprise Group, Bell

 

Introduction: The promise of WLAN

Local area networks (LANs) came into existence decades ago, long before the advent of the Internet. At that time network security was something physical: if the doors to the building were locked and the right people were at the terminals, the network was secure. As secure as networks get, it is a fact that no LAN network is ever truly secure. And with the launch of the World Wide Web in the mid-1990s, the network was potentially exposed to anyone with an Internet connection.

Enterprise wireless LAN (WLAN), making its first appearances in the late 1990s, promised installed cost savings and benefits associated with mobility, but also added another level of complexity – now anyone with a wireless-enabled device within reach of your signal could tap into the network. And so began the race to secure the WLAN.

Enterprises have been executing proof-of-concept deployments with WLANs since before the turn of the century. But with the rapid evolution of wireless security protocols, ensuring network security proved to be a challenge. Since 2004, however, the security threat embodied by a well-configured WLAN network has been minimal. In fact, while properly protected wired LAN networks are secure, the reality is that in many cases they remain underprotected. The majority of wireless networks, in contrast, are protected via encryption protocols that when properly configured are extremely difficult to crack.

While wireless has long been ubiquitous in the consumer market, it has only recently gained traction within enterprises. Here are the top two reasons that have been holding enterprises back from widespread adoption:

  • First, WLAN has only recently caught up with wired LAN in terms of speed, reliability and throughput. Wireless outstrips wired in ROI1, but there remains a perception that wireless networks are less secure
  • Second, technological advancements only just recently created a proliferation of business advantages specific to the wireless network. These benefits include:
    • Lower installation costs
    • Greater flexibility in expansion and deployment
    • The increased convenience and productivity that come with mobility

Furthermore, application development within the health care, service and retail verticals has enabled customization and created valuable new services such as real-time location tracking of assets and people and voice over WLAN.

It is clear that the advantages of wireless networks are accruing rapidly. In addition to the obvious need to keep data secure, compliance with industry-specific regulation is becoming a major wireless security driver. Solid policy within the organization plays a major role in wireless security compliance and helps to ensure that WLAN security levels are maintained throughout the entire network. Policy works together with proper configuration and well-chosen security infrastructure components to create a secure network environment.

The future of enterprise wireless is bright. The significant and increasing benefits of both the technology and of new applications exclusive to wireless spell a significantly increased adoption of WLAN over the next five to ten years. The greatest stumbling block to wholesale adoption of WLAN, however, is the perception that wireless networks are less secure.

The purpose of this white paper is to:

  • Dispel myths surrounding WLAN security – thinking that has no bearing on the modern network
  • Provide information on the latest Wireless Local Area Network (WLAN) protocols, security standards and best practices

The evolution of wireless security: Wireless myths debunked

Now that WLAN has reached wired LAN levels of speed, reliability, obsolescence and cost while outstripping it in terms of ROI, security has remained the last remaining hurdle in the minds of many. The reality, however, is that WLAN security protocols and systems have matured to the point that the real security threat embodied by a properly configured WLAN network is no greater than that of a wired network and perhaps even less.

Not only has wireless network security reliance reached a point of maturity; when compared to wired network security enforcement, that of wireless is even greater. The proof of this is that many wired LANs still allow the majority of communications to go unencrypted, despite the fact that wired LAN networks are just as prone to eavesdropping as wireless networks.

Because the outward-facing security of wired networks was addressed long ago by means of intrusion-prevention systems, firewalls and a buffer zone separating the Internet from the LAN, wired networks have long been considered low security risks. It should come as no surprise then that the protocols, hardware and software that evolved around wireless security are now more sophisticated than those for wired. At the time of writing, there is no known way of compromising Wi-Fi Protected Access 2 (WPA2) – the latest wireless security protocol, introduced in 2004 – assuming that it is properly configured.

When smaller businesses were adopting wireless in 2004 and earlier, one of the most basic security features included in wireless access points was a list of workstations allowed to access the wireless network. This feature allows administrators to enter the media access control (MAC) address of all authorized wireless network interface cards (NICs) that a company owns. That way, if someone attempts to connect to the network, the access point checks to see if the NIC's MAC address is allowed. Naturally, a technique evolved as a means of bypassing this control: MAC spoofing. But for this and each successive security bypass technique invented, a new countermeasure has been created.

Wireless security has become so robust that double encryption is common. Because airwaves are assumed to be insecure, encrypted virtual private networks (VPNs) are normally created for wireless users. In this way they are isolated from the rest of the network until they have been authenticated. However, wireless clients are usually already authenticated and transmissions are already encrypted with Wi-Fi Protected Access (WPA) or WPA2. In this way, wireless traffic is often doubly encrypted by means of two entirely different protocols.

Encryption protocols of wired and wireless networks
Wireless LAN
Wired LAN
1997 Wired Equivalency Privacy (WEP) 1997 3DES
AES-128
2003 WiFi Protected Access (WPA) PASSKEY 2001 SSL
AES-256/512
2004 WiFi Protected Access 2 (WPA2) CCKM
2006 WPA2 supports TKIP and AES (802.11i)

The 802.1x authentication protocol is the current industry standard for defining identity/role-based authentication within wireless networks. This protocol was first used in wired networks and is now extensively used in wireless.

Wireless within the larger context of IT security

It is important to remember that the risks associated with both wired and wireless configurations form just one small part of IT security risk. The larger threats come from imperfect installation, patching, and the human element. As Gartner analyst John Pescatore famously noted in 2007, when it comes to attacks on information networks “65 percent of attacks exploit misconfigured systems...30 percent exploit known vulnerabilities where there's a patch out...only 5 percent exploit things we didn't know where there was a problem.”

The role of policy

An overall security policy can help to establish a regimen that mitigates the risk of a security breach. A separate WLAN security policy will ensure that the wireless network is not the weakest link in the chain. It is also critical to have mitigation strategies in place to answer all events, including WLAN and LAN breaches. The need for policy has not only become more urgent, it has also become increasingly challenging to formulate and enforce due to the enterprise's dissolving network perimeter. As telecommuting and personal data assistants (PDAs) become more widespread, it becomes more difficult to determine where the corporate network ends, let alone regulate it.

Privacy issues, technology changes, a fragmented marketplace and the personal nature of devices all complicate the creation of clear wireless policies. But the greater urgency stems not from security risks, but from the need to comply with an ever-increasing burden of regulation that demands increased transparency, which will expose policy shortcomings, including security and risk mitigation.

Clear policy also helps to address the human element, spelling out security protocol from a user point of view. It shows what is acceptable and unacceptable behaviour. We all know that taping one's username and password to the frame of a monitor or to a hospital cart is not a secure practice. Making employees aware of IT security policy do's and don'ts on a regular basis can help to mitigate this kind of behaviour and associated risk.

Critical security configuration

To be as secure as possible, the wireless network needs to fit in with the overall enterprise security vision. Whether you are implementing a new deployment or upgrading to a robust secure network (RSN) you need to ask yourself the following questions:

  • Does it live up to overall enterprise security standards?
  • Is sensitive data encrypted to an acceptable level?
  • Are rogue access point detection systems as effective as your security information and event management (SIEM) solution, or is that the weakest link?

For uninterrupted security coverage, wireless security levels must be maintained throughout the entire life cycle of the WLAN. Your security needs to take into account everything from policy and business requirements to client considerations and employee training.

Your network configuration also needs to be tightly tied to the level of security required. A good way to approach configuration is from the point of view of identity; depending on the user's job description, he or she can be granted a different level of access to the network. User-based policies protect more sensitive areas by limiting the number of users that can access them.

WLAN security breach scenarios

As strong as wireless security measures are, their potential is not realized if they are not properly configured. Following are two documented examples of wireless security breaches in which improper configuration played a major role.

Scenario 1 – TJ Maxx credit card fraud

In January 2007, TJX Companies, the parent company of retailers T.J. Maxx and Marshalls, announced that its computer systems had been breached and that customer information had been stolen. Millions of Visa and MasterCard accounts had been compromised, with losses in the billions of dollars. One of the areas of vulnerability exploited was inadequate wireless network security.

The store through which the breach occurred used wired equivalent privacy (WEP) for their security, a protocol whose keys can be broken in less than a minute. Additionally, WEP doesn't satisfy industry standards that require the use of a Wi-Fi Protected Access (WPA) protocol.

Scenario 2 – WPA TKIP exploit

In 2008, under controlled conditions, researchers were able to crack the temporal key integrity protocol (TKIP), an essential component of WPA. This exploit is relevant to any WLAN client connected to an access point (AP) that uses WPA for security and also supports multiple quality of service (QoS) streams over Wi-Fi multimedia (WMM). It should be noted, however, that WPA1/TKIP was found to be vulnerable only to a packet injection exploit. This exploit does not provide full key recovery, as do other exploits in the case of WEP.

The problem does not occur with WPA2 unless TKIP is chosen over advanced encryption standard (AES). Nor does it work if an overlay wireless intrusion detection and prevention system (IDS/WIPS) is in place. There are other means of mitigating the attack as well. Ultimately, given proper configuration of WPA, or by using WPA2 with default settings, a TKIP exploit is not possible.

Wireless successes

Major enterprises across Canada are making the move to wireless WANs and LANs. Here are just two examples where a wireless solution made sense.

A major Canadian retailer

In 2006, Bell began a phased upgrade of a leading national retailer's entire wireless network. In 2009, Bell was chosen to implement both a managed wireless solution and wireless intrusion protection system (WIPS).

Bell is now upgrading each store's wireless network security from Wi-Fi protected access (WPA) and temporal key integrity protocol (TKIP) to WPA2. The company is also adding a WIPS that will monitor the airwaves for potential hacking. WIPS also supports the retailer's ongoing compliance and reporting to payment card industry data security standards (PCI-DSS). In the event of an attack, the centrally managed system can mitigate the action automatically, alert Bell's operations centre and/or alert the retailer's security team.

Each of the 1200+ stores has either a wireless switch or access point. Uses of the WLAN include managing inventory, price checking and compiling product orders. WLAN is also being used to facilitate applying for the store loyalty card.

The retailer decided on Bell's managed security services for a number of reasons. They:

  • Provide robust management of security patches across a WAN rather than at each location
  • Leverage the multi-protocol label switching (MPLS) data transfer protocol for seamless, incremental changes and upgrades with end-user transparency
  • Limit the size of their in-house IT support group
  • Procure quarterly PCI wireless infrastructure audit reports centrally and at will

Santa Cabrini Hospital, Montréal

When the Santa Cabrini Hospital began construction on a new emergency room, the in-house IT team knew that existing infrastructure would not be able to handle the extra capacity. At the time, voice, data, medical equipment, and telephony applications were running on separate networks, putting a strain on both bandwidth performance and IT management. Further, there was no wireless access within the hospital.

Bell designed, installed and managed a unified messaging solution on a virtual local area network (VLAN), incorporating voice over IP (VoIP) and unified messaging. Twenty Nortel wireless IP telephones now complement 60 wired ones, making it easier for healthcare workers to communicate quickly with colleagues. More than a dozen wireless heart monitors have also been installed, making Santa Cabrini the first in North America to run a biomedical device on a unified network. Health professionals can now easily manoeuvre from bedside to workspace without reconnecting a machine every time. In short, the VLAN combined with unified messaging is helping Santa Cabrini improve quality of care.

Security Integrity is composed of four main integral parts within a wireless network.

Elements of WLAN security

It is often said that a chain is only as strong as its weakest link; this aptly describes wireless security.

Following are best practices guidelines regarding WLAN security components:

  • Encryption: WPA2–AES, the highest level of encryption, is recommended. For legacy clients who cannot support WPA2, WPA – Pre-Shared Key (PSK) encryption is recommended. It is currently very difficult to crack if the encryption pass phrase is more than 26 characters
  • Authentication: 802.1x authentication is the industry standard. It is best implemented with the Microsoft® protocol CHAP version 2. 802.11i or better. EAP-TLS and PEAP MS CHAPv2 are the most used protocols for current WLAN deployments. Both protocols provide mutual authentication of the client as well as of the Authentication (RADIUS) Server and provide robust authentication mechanisms to ensure that only authorized wireless clients are able to access the WLAN Network
  • Signature files: Keep up to date with the latest firmware/software containing updated signatures and detection methods
  • Rogue access detection: Deploy dedicated wireless access points set in sensor mode for rogue detection and analysis
  • Internal reporting tools: Identify rogue APs and generate alerts
  • Risk assessment: Assess risk and create alerts
  • Wireless Intrusion Detection System (WIDS): Implement a network WIDS to monitor the radio spectrum for the presence of unauthorized access points
  • Wireless Intrusion Prevention System (WIPS): Use WIPS to help mitigate intrusions and alert a systems administrator whenever a rogue access point is detected
  • System updates: Microsoft Windows' latest patches, including security patches, are required to support the highest encryption with the latest wireless network interface card (NIC) drivers
  • Management tools: Vendors offer management systems that give visibility across multiple wireless controllers, regardless of geographic location. These systems provide an overview of wireless access point status, statistics of usage from wireless clients and added value functions such as wireless coverage and threat information

Specific configuration recommendations

Configuration for security fits into two main categories:

  • User-based configuration
  • Device-based configuration

User-based configuration: What you need to consider

  • Authentication and the user experience: How does the wired network function? What are its authentication needs? Creating user profiles can make authentication seamless for most users
  • Login protocols: Logins should follow best practices, including password complexity requirements. Passwords should also be changed regularly. This is a simple extension of desktop policy to wireless and ties in with your overall security policy
  • Off-site client issues: When a wireless device returns to the enterprise network environment, it must be checked for updated security patches and virus protection. A network admission control (NAC) mechanism allows administrators to authenticate, authorize, evaluate, and remediate wireless and remote users and their machines prior to allowing them access to the network
  • The human element: Configuration in this context means policy that is well communicated and enforced. Otherwise, people will naturally supersede policy and compromise security

Device-based configuration: What you need to consider

  • LAN security: Think of the WLAN as an extension of the LAN. If the two systems are configured to the same level of security – as they should be – then making use of existing infrastructure for wireless should not be difficult
  • Operating systems and drivers: Windows XP, Vista or 2000 and wireless 802.11a/b/g/n-compliant clients are the standard. Wireless card drivers must support an encryption and authentication protocol specific to your wireless infrastructure
  • Compliance: Configure wireless infrastructure to meet security policies that your organization already has, as well as to comply with regulatory thresholds that you must achieve. These can include the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, Payment Card Industry (PCI) and others regulations
  • Centralized management: Centralized security management has some obvious advantages: global patching and firmware upgrades, as well as a greater ability to keep round-the-clock watch over all wireless infrastructure devices
  • Wireless client functionality: Client devices must be able to support security protocols as per specific design or corporate security roadmap
  • Security maintenance: Client devices require firmware upgrades and patches on a regular basis. Systems also need to be monitored for breaches in real time. Create a comprehensive security roadmap that shows the current situation, the intended end-state and map out the path to that end-state
  • Site surveys: These are necessary in order to optimize AP placement. Use spectrum analysis or heat maps to make sure that coverage is adequate and that its footprint is not over-extended
  • Physical security of APs: Follow the mounting specifications provided by wireless vendors. Ensure that access points are strategically mounted out of reach by unauthorized personnel
  • Roaming considerations: Ensure that security measures do not adversely impact re-authentication during roaming, especially for delay-sensitive applications such as voice and video

Security, compliance and legacy infrastructure

To date, there has been a rapid evolution of WLAN technology, increasing transfer rates from two Mbps to over 600 with the advent of the 802.11n draft 2.0 standard. We are at an interesting point in the evolution of WLAN technology from a security perspective: with the advent of the WPA2 protocol in 2004 and Wi-Fi alliance-certified extensible authentication protocol (EAP) types, unprecedented levels of both speed and security stability have been attained.

In addition, virtually all new hardware is designed to be backwards compatible. Replacing one piece of the architecture no longer requires the replacement of a whole selection of components. In this way, enterprises are not restricted to the choice between sticking with b- and g-standard access points or a wholesale migration to n-standard, but are able to gradually upgrade the network if that makes the most sense.

As long as the WPA2 encryption standard is implemented, there is little security risk from the perspective of obsolescence. While the modern wireless network has the potential to be quite secure, some wireless clients do not support higher encryption algorithms. For example, many customers still use WEP with legacy wireless devices. The shortcomings of this protocol are well known: WEP security can be breached in less than a minute.

In this and other cases, enterprise behaviour can dictate the level of security a wireless system will attain. However, most enterprises are bound by some sort of compliance restriction, such as PCI/HIPPA.

Choice of WLAN security infrastructure is generally driven by industry standard regulations, rather than obsolescence-related threats.

While obsolescence is not a challenge for organizations that have implemented the WPA2 standard, relying on pre-WPA2 equipment creates additional challenges. Old equipment can provide a temporary financial savings, but only until the equipment fails. In order to avoid such a potentially costly situation, wireless network components should be covered under a maintenance contract. The ideal scenario, of course, is to proactively upgrade to current wireless infrastructure equipment, which will also facilitate future compliance.

Best practices for migration to WLAN

You can ensure a smooth transition to WLAN by keeping in mind some cardinal rules:

  • Ensure that client devices are able to support security protocols as per specific design or corporate security roadmap
  • Take processing effects into account: strong security protocols usually mean more processing. This could have a significant impact on client device performance, such as higher CPU utilization
  • Ensure that security measures do not adversely impact re-authentication during roaming, especially for delay-sensitive applications such as voice and video
  • In cases where it's not possible to implement very strong security on all WLANs, isolate the least secure WLAN from the rest of the network by means of VLANs or firewalls
  • Make sure that infrastructure and client devices comply with your overall security policy. Compliance enforcement is achieved by means of security devices such as network admission/access control (NAC), Wireless Intrusion Prevention System (WIPs) and firewalls

Benefits of managed security services

It is important to maintain full control of the wireless network on a constant basis to ensure immediate reaction to and mitigation of threats. In fact PCI and SOX regulations require round the clock monitoring. The two main barriers to in-house wireless security services are cost and logistics. The following points serve to illustrate these barriers:

  • There are generally multiple roles needed, and it can be expensive to train and hire for specialized positions
  • A wireless vendor will provide you with 250 triggers. Can you manage them all and react to each properly and on time?
  • There is a need for security monitoring infrastructure, which your managed services provider already has in place

Managed wireless security services, both in terms of service assurance (break and fix) and network assurance (monitoring and management), can make a lot of sense from an ROI as well as a logistical perspective.


Conclusion

As wireless speed has risen to a level that allows it to support today's bandwidth-intensive services, it has also caught up with wired LAN in terms of security, reliability and throughput. When factors such as account infrastructure cost savings, productivity gains, location tracking, lower telephony costs and the savings associated with WLAN-specific applications such as mobile-over-IP functionality are taken into account, the return on a wireless network investment is clear.

There are two main drivers for wireless security within the enterprise: the need to secure information and, increasingly, the need to comply with industry-specific regulation. Strong wireless security policy is a must for compliance as well as to ensure that WLAN security levels are maintained throughout the entire life cycle. Component and configuration choices must work hand in hand with policy to create a secure network environment. There are clear best practices that should be followed both in selection and configuration of components, and in migrating to a WLAN network.

Security risks associated with a properly configured WLAN network are now no greater than that of a wired network. In fact, while most wireless networks are protected by encryption protocols that are even more difficult to breach.

In many enterprise environments, regulation requires round-the-clock monitoring of the network. Given the significant cost and logistical barriers to in-house wireless security services, managed wireless security services, both in terms of service assurance and network assurance, can make a lot of sense from ROI and logistical perspectives.

There are huge benefits to wireless technology, and there is little doubt that more will accrue as wireless-specific devices and applications continue to evolve and proliferate. The technology of wireless itself will also continue to evolve, even though we have reached a point of maturity from which gains will be incremental. WLAN has truly come of age. As the business benefits specific to wireless increase, an accelerated migration to WLAN over the next five to ten years can be expected.

How Bell can help

Bell is a leader in wireless network design and implementation. We have assisted some of Canada's largest organizations with wireless implementations across multiple verticals. We provide counsel and execution concerning security audits and roadmapping, installation expertise and ongoing security services management and consulting.

If you are considering a move to WLAN, Bell can provide a clear picture of the business benefits and anticipated ROI as well as capital requirements and total cost of ownership. To that end, we can make use of our proven methodology to develop an effective long-term WLAN strategy specific to your business.

For more information visit bell.ca/enterprise, or request to be contacted by a Bell representative at bell.ca/contact-enterprise.

About the author

Rishi Chadeesingh is Senior Associate Director of the Wireless Solutions Team, Enterprise Group, Bell Canada, and a significant contributor to Bell having the largest WLAN installed base in Canada. He has worked in telecommunications for the past 12 years and since 2004 has concentrated exclusively on wireless technology deployments.