Wireless security considerations

Tuesday, 07 June, 2011


With the continuing proliferation of WLANs, network administrators have some tough choices to make when it comes to securing these wireless networks. Hemant Chaskar*, Director of Technology at AirTight Networks, takes a closer look at these decisions.

Wi-Fi adoption in the enterprise is accelerating rapidly. More and more businesses are rolling out wireless local area networks (WLANs) to cut costs and increase productivity. Today, all laptops, PDAs and smartphones have Wi-Fi built in. Wi-Fi hotspots, spanning coffee shops, hotels and airports, are popping up to meet the growing demand of Wi-Fi internet access.

Wi-Fi proliferation is creating a security nightmare for network administrators. The data and the network are now in the air - invisible radio waves cannot be confined to a building or behind a firewall, blurring the enterprise network perimeter.

Protection from rogue access points (APs), WiPhishing, corporate client connections to neighbourhood APs, misconfigurations of authorised Wi-Fi, wireless DoS attacks, spoofing and zero-day attacks are some of the commonly cited reasons to install a wireless intrusion prevention system (WIPS). WIPS solutions include those offered by WLAN infrastructure vendors and those offered by dedicated security vendors.

Organisations often face challenges in evaluating these solutions to determine what best suits them and need to make some high-level considerations when evaluating a WIPS solution.

1) What types of rogue APs on the network is the WIPS designed to detect?

Rogue APs, which provide access to the enterprise network for outsiders, are the mother of all Wi-Fi threats and protecting against them should be top of the list of Wi-Fi security concerns for every organisation.

Rogue APs are connected to the enterprise network by unassuming employees or by malicious insiders. From the wireless side, a wireless connection between the rogue AP and the outsider looks like a connection between two MAC addresses which do not belong to the enterprise Wi-Fi.

What differentiates this from a legitimate neighbouring AP is the wired connectivity of the rogue AP to the network, making the detection of wired connectivity of rogue APs to the enterprise network a critical component of rogue AP detection.

How APs are configured vary tremendously. This may include:

  • bridge vs router
  • use of wireless encryption
  • default state vs implementation of configuration changes
  • network interface properties
  • hardware vs software APs
  • APs connected to different virtual LANs

Different variations of these configurations present a range of challenges for WIPS in detecting if an AP is connected to the monitored network. Some scenarios can be detected by wired only scanning while others require wireless scanning; some can be detected by passive traffic correlation while others require various means of active probing.

It is essential to first define the types of rogue APs on the network that are considered potential candidates and then ensure that the WIPS properly detects them all.

2) Does the WIPS integrate into managed switching infrastructure or does it operate independently of it?

In addition to defining the type of rogue APs, it is equally important to assess how the WIPS performs detection of rogues on the wired network.

The two major rogue AP detection techniques are to use:

  • information stored in network switches to perform traffic correlation between wired and wireless domains
  • information gathered by the WIPS itself from traffic in the wired network to perform this traffic correlation.

The first technique requires ongoing maintenance of switch properties in the WIPS, while the second method does not require maintenance of switch properties in the WIPS.

Depending on factors such as how security and network operation teams operate, network size, availability of managed switches to the edge and vendor mix in the switching infrastructure, a judicious choice of rogue detection architecture must be made.

3) If automatic wireless threat remediation (over-the-air blocking) is required, what are implications of false alarms in the WIPS?

Different organisations have different requirements relating to the window of time in which a potential wireless threat should persist. For those requiring instant action, automatic remediation is important. Further, most wireless threats can only be blocked using over-the-air techniques.

In over-the-air blocking, the false alarms consideration (both false positives and false negatives) becomes important. A false positive means incorrect tagging of a benign neighbourhood activity as a threat, leading the WIPS to disrupt benign neighbourhood communications. Accidental neighbour disruption is totally unacceptable in over-the-air prevention.

A false negative, where a credible threat is incorrectly tagged as a benign or lower severity threat, may result in automatic prevention not triggering when it should, leaving enterprise assets exposed. An example of the false negative is a rogue AP not tagged as on-network by the WIPS.

False alarms can be minimised by running the system in a production environment for at least a week. Many false alarm triggers are statistical in nature and manifest when the system is ‘worked up’ in a busy production environment, which cannot be replicated in the lab.

4) What types of wireless threat remediation techniques are used by the WIPS?

Even though all Wi-Fi devices follow the same IEEE 802.11 standard (and may be Wi-Fi certified), nuances in their implementation often pose challenges in over-the-air blocking of their communication.

It is important for the WIPS to have wireless threat remediation techniques that cover all different violation scenarios and devices required by the organisation’s security policy. The capacity of WIPS to block multiple simultaneous threats on multiple channels should also be evaluated, since violations such as misassociations often happen in bulk on multiple channels.

5) How many alarms does the WIPS generate?

Intrusion notification methods are to either deliver fine grained alerts to a user for every event that appears suspicious or alternatively to process fine grained details on suspicious events, drawing concrete inferences and raising alerts to a user only when the result of analysis points to a security threat or vulnerability.

The first approach may be machine-error proof, but it requires manual intervention and analysis on a continuous basis. This is because perturbations to wireless constantly occur. The second approach needs to avoid filtering genuine alarms. When it comes to ‘alarms volume’, focusing on security and operational objectives, rather than a mechanical ‘more alarms equals more security’ approach, is recommended.

6) How much configuration does the WIPS expose to the end user?

One approach relies on receiving detailed configuration from the user regarding how the system should behave. The system then executes user-defined rules and performs user defined actions. For example, the user-defines rules to classify APs as threatening or friendly. An alternative approach provides built-in policy rules, with only fine-tuning options. For example, the system may have built-in rule sets regarding which APs should be called threat posing (eg, unmanaged APs connected to enterprise network) vs which should be called friendly (eg, benign neighbourhood APs).

At first glance, the first approach appears to give greater control over system behaviour. The flip side, however, is that it takes considerable skill to define those rules and requires processes and resources for maintaining them in dynamic wireless environments. The second approach requires evaluation that the system’s built-in rules have sound security underpinnings and sufficiently meet security requirements.

7) How does the WIPS facilitate ease of day-to-day operation?

From a day-to-day security management perspective, it may be useful for the WIPS to provide a location-context-sensitive security console that can be managed independently by different administrators at different locations, while providing a bird’s eye view for the super-administrator at the top.

For many organisations, it is essential that the WIPS automatically provides periodic reporting for regulatory/standards compliance. To assist with incident analysis, the WIPS should be capable of providing forensics capability to facilitate the administrators to search, sort and correlate security events that have occurred.

The various selection factors described above can serve as guideposts for WIPS evaluators. End users can then expand on these with their own application-specific requirements and network needs to design their own test scripts and criteria to evaluate a particular wireless security solution.

*Hemant Chaskar is Director of Technology at AirTight Networks. Hemant holds a PhD in Electrical and Computer Engineering and has more than 10 years of R&D experience in the field of security, wireless communications and networking. He has published several research papers, spoken at many technical conferences and has several granted and pending patents.

Related Articles

Nation-state actors have their sights on the cloud

Prioritising the protection of credentials and adopting robust security measures can better...

Combating financial crime with AI

Rapid digital transformation across Australia and New Zealand has provided cybercriminals with...

Learning from the LockBit takedown

An international taskforce has seized the darknet sites run by LockBit, but relying on law...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd