For Wireless LANs in Federal Agencies, Security Is in the Air
Wireless LANs pose security problems for a number of reasons. The security of the wireless LAN depends on the security of every element of the network, including mobile devices, wireless access points and wireless switches. Wireless networks are easier to access than their wired counterparts, and they are often configured more for convenience than security. But as agencies increasingly go wireless and attackers focus on wireless LANs, agencies should consider a few tactics for improving security.
1. Establish and adopt standard configurations.
Wireless LANs are made up of many individual components, and the security of the wireless network as a whole is based on the security configuration of each component. All it takes is one weak link for an attacker to gain a foothold into an organization’s systems. It is important for each wireless LAN component, including mobile devices, to meet minimum security requirements — a security configuration baseline. This mitigates major vulnerabilities and lessens the potential impact of successful attacks.
Adopting standardized security configurations is an ongoing process, not a one-time event. Although it’s necessary to do initial configuration of the wireless LAN components, agencies should check them periodically to ensure that their configuration hasn’t been relaxed, either inadvertently or intentionally. This is why it’s so important to rely on centralized, automated security configuration mechanisms whenever possible. Technologies such as wireless LAN client management software and enterprise mobile device management software can be invaluable in automating configuration processes.
2. Monitor all wireless networks.
Agencies must monitor all of their wireless LANs for two reasons: to detect attacks and to find possible vulnerabilities. Ideally, monitoring for both attacks and vulnerabilities should be continuous so that any problems can be addressed quickly, minimizing damage from successful exploitation of vulnerabilities and other successful attacks.
There are two types of attacks: passive attacks, in which the attacker only eavesdrops on wireless LAN communications; and active attacks, in which the attacker creates, changes or interrupts communications. It’s not possible to monitor electronically for passive attacks, but all forms of active attacks can be monitored through tools such as wireless intrusion detection and prevention systems. Such systems can also detect rogue access points and wireless LANs, which an attacker could set up to trick users into connecting to a bogus network.
More Information @
For more information on securing wireless LANs, see the National Institute of Standards and Technology’s Special Publication 800-153, Guidelines for Securing Wireless Local Area Networks (WLANs).
The process for monitoring vulnerabilities on wireless LANs is the same process that’s used to monitor any component for vulnerabilities: Make sure the security configuration settings comply with the baseline, and identify, download and install any missing patches.
3. Perform regular network assessments.
Although continuous monitoring is a key step toward maintaining wireless LAN security, alone it’s not sufficient. In addition, agencies should perform a technical security assessment for the wireless LAN at least once a year. The purpose of this is to determine the overall security posture of the wireless LAN. A security assessment gives you the opportunity to identify changes in technologies, wireless security best practices and other things that could affect how the wireless LAN is deployed and configured. It’s also a good idea to perform a security assessment when other major changes happen, such as a move to a different building.
