December 10, 2003
Table of Contents 3 4 1. Can you prevent wireless deployment until your IT staff is ready to support it? 5 2. Is every element of your wireless system secure? 6 3. Are your access points an Achilles heel? 6 4. Does your WLAN system support security policies for heterogeneous users? How are the security approaches integrated? 7 5. Can you apply wired security policies to your wireless network? 8 6. Can you use existing Virtual Private Network (VPN) technology to secure your WLAN environment? Will users be able to roam when using VPNs? 9 7. Can your WLAN address security threats in real-time? 10 8. How does your WLAN handle attacks? 11 9. Can you accurately locate the source of security risks? 12 10. Will your WLAN support future innovation and changes in 802.11 security standards? 13 Conclusion 2
Wireless LANs (WLANs) represent one of the greatest innovations in enterprise networking since the invention of Ethernet. Over 10 million Access Points (APs) shipped in the four years since the 802.11b standard was ratified (source: Gartner Group), making this one of the fastest growing networking technologies of the last decade. While the benefits of wireless mobility are commonly appreciated by many enterprises increased productivity, enhanced communications, and new applications to name a few the security issues associated with implementing this new technology are often not completely understood by IT staff. Early inadequacies with the Wired Equivalent Privacy (WEP) protocol have exacerbated this problem, causing many enterprises to focus most of their attention on better Layer 2 authentication, authorization, and encryption capabilities, ignoring other key components to WLAN security, such as RF-layer protection and rogue AP containment. As each enterprise s individual security architecture is dependent upon its specific network infrastructure, client capabilities, and applications, there is no one-size-fits-all approach to wireless security. Every individual enterprise requires its own comprehensive framework that addresses all facets of wireless networking, from the RF physical layer to the protection of key business-critical applications. The best solution is a mix of well established industry standards, such as 802.1x, WPA, and IPsec, combined with innate WLAN infrastructure capabilities, such as real-time monitoring for wireless protection. The trick is understanding what security risks to look for, and knowing how best to address them in your enterprise environment Airespace compiled the following top 10 WLAN security checklist to assist in this endeavor: 3
1. Can you prevent wireless deployment until your IT staff is ready to support it? One of the greatest security threats an enterprise faces is spawned by relatively innocent motives. For example, an employee can bring in a low-cost AP purchased at the nearest electronic store to enable roaming between his cubicle and a conference room. While this employee s intentions are innocent, the result of his actions can be quite severe. If the consumer-grade AP does not have appropriate security parameters in place, this rogue device is exposing your entire corporate network to anyone and everyone with a wireless client. As a result, most enterprises should have a mechanism in place whereby IT staff have complete control over how and when wireless services are rolled-out and managed. Airespace gives network managers complete control of WLAN deployment with the Airespace Wireless Protection System. When operated in standalone prevention mode, it creates a complete defense shield around an enterprise s RF domain whereby service is denied to all wireless clients and APs rogue or otherwise. This lock down of the air space enables IT staff to deploy Wireless LANs at their own pace, in complete coordination with established corporate security policies. The same Airespace equipment that is used to prevent wireless activity today can also be used to deliver WLAN services in the future. As a result, Airespace offers a cost effective migration strategy for any enterprise interested in the eventual deployment of business critical wireless networks. Figure 1 Airespace s Defense Shield locks down the air space to prevent unauthorized wireless activity. 4
2. Is every element of your wireless system secure? A WLAN is only as secure as its weakest link. When deploying a wireless network system, two objectives must therefore be met: 1. The system must be secure out of the box. From the moment equipment arrives onsite, it should be configured for maximum security. This prevents malicious activity from taking place during initial configuration, and protects your enterprise in the event that default parameters are left as is once the WLAN is up and running. 2. Every element of the system must be secured from potential attack. Much attention is given to securing the connection between clients and the WLAN system itself. But, is the connection between your APs and WLAN switches/ appliances also secure? What about your communication between different switches/appliances? Each of these distinct parts of the network can pose potential security risks to a WLAN system, and must therefore be addressed accordingly. Airespace meets these objectives in several ways. Airespace equipment ships from the manufacturer with built-in X.509 certificates. This ensures the authenticity of each device, preventing unauthorized equipment from participating in an Airespace network. The Airespace system is secured from the time the system is first powered up. Upon initial installation, SNMP v3, SSH, and HTTPs are all enabled, ensuring that there are no insecure ways to access the Airespace equipment. All Airespace hardware and software elements (APs, switches, appliances, and Airespace Control System Software) operate over a secured control channel, whether it occurs in the wired or wireless side of the network. All communication between APs, between APs and switches/appliances, between the controllers themselves, and to ACS are secured via the Lightweight Access Point Protocol (LWAPP). This ensures that all elements remain secure throughout the life cycle of an entire Airespace wireless network. The Airespace solution continues to monitor the network to prevent possible Trojan Horses. 5
3. Are your access points an Achilles heel? Traditional fat APs typically operate as a stand alone network element. As a result, they are responsible for all aspects of WLAN security, including user authentication and encryption key management. If a fat AP is stolen, different user and network secrets can be compromised. Given the fact that most fat APs are usually deployed either out in the open or just above a drop ceiling in the plenum (as opposed to in a locked wiring closet or data center) this is a very real risk for many enterprise environments. Airespace Access Points contain no information that would compromise WLAN security if stolen. Instead, all user authentication and access information is stored in the wiring closet or data center, where Airespace WLAN switches and appliances are securely deployed and managed. In addition, an Airespace AP will not work without a certified Airespace WLAN switch/appliance or other valid LWAPP-enabled access controller. 4. Does your WLAN system support security policies for heterogeneous users? How are the security approaches integrated? The embedded nature of 802.11 chipsets in laptops, PDAs and tablet computers is leading to an increasingly diverse client environment. As each type of client has unique security requirements and specific capabilities with respect to the types of technologies they can support, it is extremely difficult for IT staff to establish and enforce uniform security approaches across a large enterprise. Flexibility is key. As there is no one size fits all answer to WLAN security, wireless infrastructures must provide IT staff with a variety of security options that cater to many different types of user requirements. This means all layers of the WLAN must be secured, and more importantly, the policies across these layers must be coordinated. 6
Figure 2 Airespace provides multiple layers of WLAN protection. Airespace Control System Software, Airespace s award-winning platform for WLAN systems management, allows administrators to establish up to 17 different policies across an entire network for different kinds of users and devices. Security can be configured by policy groups or templates or per user and device, giving tight control over how wireless users can use the network. More importantly, the security template tools in ACS eliminate the manual configuration associated with different security devices and software packages, dramatically reducing the chance of operator error. 5. Can you apply wired security policies to your wireless network? Security is nothing new to enterprise networking. In most environments, well-established policies exist that govern how information is accessed, such as virtual LANs (VLANs), firewalls, Authentication/Authorization/Access control. These existing wireline schemes must be integrated into a wireless environment to ensure uniformity across an entire enterprise and to ease IT management burden. The Airespace system uses traditional QoS and VLAN tagging schemes (802.1p and 802.1q) to map wireline VLANs into the wireless world. In addition, the Airespace Wireless Enterprise Platform supports the use of per-user Access Control Lists (ACLs) and per-user policies to maintain security from the wired network. For example, if it s time for final exams in the graduate school of engineering, the IT manager can turn off Yahoo, AOL and MSN instant messenger to avoid sharing of the answers among various wireless users. 7
6. Can you use existing Virtual Private Network (VPN) technology to secure your WLAN environment? Will users be able to roam when using VPNs? Greater than ninety percent of all enterprises have a remote access solution in place. As a result, VPNs are a staple in most corporate environments, whether a Layer 2 tunneling approach (e.g., L2TP) is used, or a Layer 3 solution, such as IPsec, is deployed. Airespace is a leader in the support and use of VPN technology in WLAN environments. In the Airespace environment, VPNs can be terminated on the Airespace WLAN switch and appliance, or passed-through to a VPN concentrator in the data center. Both Layer 2 and Layer 3 VPN approaches are supported by Airespace, with proven interoperability with leading VPN client solutions, such as Cisco, Netscreen and Funk. The Airespace system helps make VPNs mobile through a unique capability called Follow-Me VPN. Figure 3 Follow-Me VPNs enable users to roam throughout an Airespace network without losing their secure connection. Router Airespace 4000 Wireless Switch Secure Context Transfer Airespace 1200 Access Point 8
With this technology, users can roam within or across subnets with no drop in connection or need to re-authenticate. In addition, Follow-Me VPNs have very fast handoffs usually less than 50 milliseconds across subnets. This means that Airespace supports latency-sensitive applications, such as voice, without compromising security. 7. Can your WLAN address security threats in real-time? There is no way to predict the exact date or time when your WLAN might come under attack. As a result, network administrators require a WLAN solution with realtime RF monitoring capabilities to provide constant visibility into the air space. In addition, it is easy to confuse benign activities, such as interference from a neighboring coffee shop, with real security threats. Consequently, IT staff require RF intelligence within the WLAN to help analyze RF activity to help them make informed decisions. Airespace is the only WLAN platform with real-time RF management. With AireWave Director Software, which is embedded on all Airespace equipment, enterprises are equipped with dynamic RF intelligence for real-time detection and analysis of all activities within the air space. Anything that might threaten WLAN performance or security is immediately noted, analyzed, and logged, enabling IT staff to address immediate problems, as well as identify recurring trends. This type of real-time RF management goes well-beyond the security capabilities offered by alternative WLAN solutions whereby site survey and periodic RF scans are used to detect unusual activity. As these devices only take a snapshot in time, they are not equipped to handle security for a dynamic real-world environment. 9
8. How does your WLAN handle attacks? The RF is an open medium. As a result, wireless networks are exposed to many more attacks than traditional wireline networks. Some attacks disrupt performance, such as Denial of Service (DOS) attacks that debilitates WLAN operations through excessive interference. Others attacks enable malicious users to gain unauthorized entry to a WLAN, such as dictionary, Fake AP, and Man in Middle (MiM) attacks, A WLAN system must be able to rapidly detect each kind of attack and take appropriate action Airespace s Wireless Protection System provides multiple layers of protection against numerous types of WLAN attacks. More specifically, Airespace combines real-time RF monitoring and analysis with location tracking and dynamic RF intelligence to enable the following capabilities: Dynamic control of the air space (channel, power, etc.), allows the system to move away from radio frequencies that are over utilized. This protects applications from Denial of Service (DoS) attacks and from excessive interference. All Airespace equipment ships with built-in certificates to prevent unauthorized devices from accessing an Airespace network. In addition, the Airespace system constantly monitor the air space to detect unusual activity that might be attributed to devices attempting to spoof a valid equipment address e.g., ASLEAP, deauthentication floods, void11, Fake AP, etc. Airespace offers a blacklisting feature whereby users making repeated attempts to captures or spoof passwords or MAC addresses are barred from access to the Airespace network. Blacklisting takes place across an entire enterprise domain and lasts for an adjustable period of time. The Airespace system detect clients in ad-hoc mode and prevents users from associating with these devices. The Airespace Wireless Protection System can be used to detect and contain Rogue APs. By combining location tracking with rogue containment features, the system detects unauthorized APs, helps IT staff determine if they are a security threat, and then provides tools for containing these devices. Alarms can be generated with precise location information, enabling IT staff to address the rogue device with minimal effort. 10
9. Can you accurately locate the source of security risks? Monitoring and analysis is only half the answer when it comes to WLAN security. IT staff must also take control of their air space to contain potentially harmful activity before they have a serious impact on WLAN operations. Granular location tracking is key to this, providing IT staff with detailed insight into the physical source of unauthorized or harmful activity, such as a rogue AP, computer running in ad-hoc mode, or a laptop with improperly configured security parameters. Once the physical location of an offending device can be located, swift corrective action can be taken. Airespace offers the only WLAN system with integrated location tracking for granular visibility and control of the RF domain. While separate overlay networks can be deployed to provide this functionality, these require additional appliances, APs, and software which significantly adds to overall equipment costs. In addition, there is no guarantee that such a solution will provide 100% coverage of a wireless network, as is the case with the Airespace Wireless Enterprise Platform. Figure 4 Airespace uses advanced location tracking techniques to locate security risks. 11
10. Will your WLAN support future innovation and changes in 802.11 security standards? Significant attention has been given to existing layer 2 encryption and authentication approaches, such as 802.1x and WPA. As new standards emerge, enterprises must determine the effect that they will have on existing security schemes. For example, what changes are required to migrate from WPA to 802.11i, which uses the Advanced Encryption Standard (AES) for dynamic negotiation of authentication and encryption algorithms? Similarly, will existing WLAN security systems support 802.11e, which defines Quality of Service (QoS) mechanisms for wireless domains? Many existing WLAN platforms are not ready to support some of the emerging 802.11 standards. For example, WLAN solutions that handle all encryption in the WLAN switch (as opposed to handling some encryption in the AP), are ill-equipped for 802.11e. That is because if the AP cannot read data packets, it cannot enforce QoS policies. The Airespace system is equipped to handle encryption in both the WLAN switch and in the APs. The APs themselves are equipped with hardware acceleration to support emerging 802.11 standards, without impacting overall WLAN performance. This means that the Airespace solution requires nothing more than a software upgrade to support the 802.11i and e standards when they are completed. No costly forklift upgrades are required. 12
Conclusion Enterprises across the world are taking advantage of productivity gains and other benefits associated with WLAN technology. However, for wireless networks to support business critical applications, they must contain adequate security measures that prevent mobility from being synonymous with vulnerability. Airespace understands WLAN security. The Airespace Wireless Enterprise System was built from the ground up for secure wireless operations. By addressing the ten basic principles outlined in this document, Airespace has built secure and reliable wireless networks for enterprises of all kind, from trading floors and hospitals to military facilities and boardrooms. 13
Worldwide Headquarters 110 Nortech Parkway San Jose, CA 95134 Tel: 408.635.2000 Fax: 408.635.2020 EMEA Headquarters 3000 Cathedral Hill Guildford, Surrey GU2 7YB United Kingdom Tel: +44 (0) 01483.243632 Fax: +44 (0) 01483.243501 www.airespace.com 2003 Airespace, Inc. All rights reserved. AireWave Director, Airespace and the Airespace logo are trademarks of Airespace, Inc. All other trademarks belong to their respective owners. LIT 12-03-1-W-WPWS